While long term care and senior living organizations may not be able to prevent a data incident, there are many steps an organization can take to prepare.
Know Your Data
The first step in preparing for a data incident is to understand the landscape, including the applicable regulatory schemes, your organization’s contractual and other commitments, and the individually identifiable data it maintains and transmits.
A threshold question is whether HIPAA and its breach notification requirements will apply. HIPAA applies to health care providers billing federal or commercial payors or engaging in other “standard transactions” using prescribed forms, including electronic coordination of benefits or enrollment activities, which will include most skilled nursing facilities, home health agencies, hospices, and certain assisted living facilities. Vendors supporting long term care organizations will be regulated by HIPAA if their services involve using or disclosing protected health information.
Organizations falling outside of HIPAA that provide electronic health care offerings, including websites and apps that track fitness, sleep, and diet, as well as vendors that provide services to such organizations, may be subject to the breach notification requirements of the FTC’s Health Breach Notification Rule.
In addition, each state has a data breach notification law. While similar, the varying state provisions defining the types of data deemed to be personal information and the types of events that trigger a breach can pose challenges for organizations serving individuals across multiple states. For example, certain states consider health information to be personal information while others focus on Social Security numbers, driver’s license numbers, and financial account information.
In addition to understanding applicable laws and regulations, long term care and senior housing entities should understand their organization’s contractual commitments, as well as its policies and any public-facing commitments. For example, vendors in the long term care space should understand data incident reporting requirements of any HIPAA business associate agreements that they have executed, and an organization with a website privacy policy or a HIPAA Notice of Privacy Practices should take into account any commitments made in those documents regarding incident or breach notification.
Finally, in order to prepare for a data incident, a long term care or senior housing organization should understand what individually identifiable data it holds, where that data is maintained, and, to the extent applicable, where and how that data is transmitted. This will include resident and patient data as well as other types of sensitive data, including employee/board member/volunteer/vendor personal information, financial information on individuals or entities, and any data held by sponsors of self-insured health and welfare plans on plan beneficiaries. Your organization should understand on which servers or other locations it stores which data; which apps, systems, or other methods are used to transmit data; and the persons or entities who receive individually identifiable data from your organization.
Analyze Risks and Make a Plan
Your organization should take what you learned about your data, applicable laws and regulations, and relevant commitments and apply those elements to risk analysis and management and incident preparation. One of the best ways to prepare for a data incident is to conduct a comprehensive and enterprise-wide security risk analysis. This is a requirement for entities regulated under HIPAA and other cybersecurity compliance structures, such as an International Standards Organization (ISO) certification, and it is a vital best practice for every organization.
A risk analysis can be conducted internally by information security and compliance personnel or externally by a vendor to analyze risks and vulnerabilities to confidential data across the organization. This analysis should be conducted at least annually and should be a living document, updated to reflect any new service lines, processes, or technology.
Long term care and senior housing organizations should take the results of a security risk analysis and create a risk management plan, focusing on eliminating or mitigating areas of high risk and progressing down to areas of lower importance. This process can be structured in a manner that is manageable for the organization and that allows different individuals to tackle issues simultaneously under a centralized plan.
Training Staff and Vendors
As organizations look to address identified risks, it is important to ensure that their data security program addresses risks related to two common “weakest links”—personnel and vendors. HIPAA, certain state laws, and other certification requirements mandate that organizations implement data security training. While this can be accomplished with a template online module, providing personnel with focused, role-based data security training may result in greater security awareness. Entities also should provide training updates, reminders, and tailored responses to identified threats or actual incidents.
Vendor diligence and security controls also are critical to preventing data incidents, and vendor contracts can be used as a vehicle to require the vendor to maintain certain security standards to protect confidential data, to specify incident reporting requirements, and to require indemnification for data incident-related liability.
Formulate an Incident Response Plan
Another key component to preparing for a data incident is an organization’s incident response plan. Similar to a security risk analysis, the incident response plan must be a living document that is updated to account for personnel changes within the organization, new vendors, identified risks, and other organizational changes. It should outline your incident response team, including internal personnel and external vendors, as well as the responsibility allocated to team members. The plan should be structured in a way that describes how the organization will respond to specific types of incidents and the risks identified by your organization.
The incident response plan also should include template documents to facilitate a rapid response at the time of an incident. For example, your organization can prepare template data breach notifications for regulators, individuals, consumer reporting agencies, and the media. The plan also can include communication templates for internal and external stakeholder notifications.
The final implementation step is to ensure that your incident response team, as well as all of your organization’s personnel, understand the protocols in place for an incident or potential incident. The incident response team should conduct periodic tabletop exercises to simulate an incident and practice the organization’s response. Lessons learned and gaps identified should be addressed in an update to the incident response plan.
While your organization may not be able to thwart a data incident, resources invested into planning for one may result in greater security for confidential data, faster identification of a potential issue, and more efficient data event response.
Valerie Breslin Montague is partner at Nixon Peabody LLP and a Certified Information Privacy Professional/United States (CIPP/US), the preeminent credential in the field of privacy.