AHLA's Speaking of Health Law

HIPAA Liability, Part 1: Maintaining Organizational Compliance

June 06, 2023 AHLA Podcasts
AHLA's Speaking of Health Law
HIPAA Liability, Part 1: Maintaining Organizational Compliance
Show Notes Transcript

In the first episode of this two-part series that delves into the perspectives of those at the front lines of HIPAA liability, Andrew Sylora, Associate, Vedder Price, speaks with Anthony Archer, Chief Privacy Officer, Scan Health Plan, about the difficulties of maintaining HIPAA compliance in a complex workforce. They discuss case studies of HIPAA breaches that have occurred at health plans, strategies for mitigating against breaches, and the practical elements for training and implementing organizational components to protect against breaches. From AHLA’s Health Care Liability and Litigation Practice Group.

Listen to Part 2, which discusses anticipated changes, here.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

This episode of A H L A , speaking of health law, is brought to you by A H L A members and donors like you. For more information, visit american health law.org.

Speaker 2:

My name is Andrews Laura . I am a associate in the Chicago Office of Veteran Price , and specifically in their healthcare and , uh, healthcare Associations group. Uh, we help a variety of healthcare organizations, physician groups, and healthcare related entities , um, manage regulatory risks, corporate risks , um, and deal with , um, essentially the broad suite of , uh, healthcare related issues. And for today's episode, I'm fortunate to be here with Anthony Archer. Uh, Anthony is currently serving as the Chief Privacy Officer for a scan health plan. So , uh, Anthony, could you kind of introduce yourself and maybe tell the listeners a little bit about your , uh, role and background and path to , uh, scan Health Plan?

Speaker 3:

Thanks, Andrew. So nice to be here. Once again, my name is Anthony Archer. I am the , uh, chief Privacy Officer here at Scan Health Plan in Long Beach, California. Prior to my role here at scan , I served , uh, many years ago at Kaiser Permanente in a IT capacity as a senior IT consultant. Uh , there I kind of learned the HIPAA security trade , um, from Kaiser. I, I left there and I went on to do good work over at Dignity Health, where I served as a compliance and privacy officer for approximately seven years, over two hospitals , um, in the , uh, LA area in Camarillo and the Oxnard area. And then prior to coming to scan , most recently I served , uh, seven years as the executive director of privacy for Molina Healthcare , which is a larger , um, you know, MCO o here in the Long Beach area as well. Currently at Scan I'm responsible for managing the enterprise privacy operations. Uh, primarily that relates to our Medicare line of business primarily. And , uh, currently we're expanding into other states. So the focus is really on expansion and also ensuring that , uh, you know, privacy operations across the enterprise , uh, you know, meet the state and regulatory compliance goals.

Speaker 2:

Great. I mean, it's, it's always great to have somebody who obviously has been through , uh, a a variety of different, you know, healthcare environments and, and dealing with, you know, the issues of , uh, HIPAA and, and privacy that come along with being in those different environments. So , um, I just wanna focus today's topic, obviously on , uh, where you're currently at, which is a , you know , kind of a health plan . Um, you know, as I think our listeners know, you know, HIPAA has always been kind of , uh, a consideration for any healthcare related organization, and this of course, is no different for, you know, a health plan being a covered entity. Um, so, you know, we hear about health plan breaches , um, and, and things of those nature, things of that nature. But , um, I think something listeners might be really interested in hearing is just, you know, what are the kind of unique considerations that you've found , um, you know, in your work under a health plan as opposed to, you know, your prior stops and, you know, are there any specific considerations that arise, you know, depending on the business lines and, you know, and you've seen in the course of expanding the business.

Speaker 3:

Right. I mean, I think that's a fair and good question. You know, I , I think that for health plans as opposed to hospitals, and that's the perspective that I'm coming from, is that really at health plans, you have a , a legal and a HIPAA duty to , uh, protect the privacy rights of your insureds or members. Whereas at the hospital level, you're primarily looking at your patients that are being serviced by those hospitals, if you will. And there's more , uh, state and local regulations of those hos over those hospitals. Um, I think secondarily for health plans , um, it's highly regulated by state regulatory bodies , um, that , um, you know, offer scan and other MCOs and opportunity to administer, administer those government health programs. Um, so there's accountability and duties that you , you know, one owes to state regulatory bodies. And then again, those duties would vary depending on the health plan lines of business. And like I indicated earlier, for us it's primarily Medicare, and in many instances it's Medicaid, if you will. And then there's also, you know, the implication for state breach laws that one would have to take into consideration other state compliance laws. And here that requires me to work with our compliance , uh, officer and compliance team to make sure that any unique considerations related to health plans are, you know, discussed. And I, I, for me, and I think for, for most other health plans or MCOs , um, unique considerations really revolve around your business associates, who they are, what functions they do, what delegated responsibilities the health plan has delegated to those vendors , um, because those vendors need to be tracked. And I think that those unique considerations really relate to the higher instances of breaches that you see recently related to , um, you know, business associates. So I think those are some of the unique considerations.

Speaker 2:

Great. Um, I think, you know, something to talk about really in that kind of , that you mentioned business associates, you know, obviously , uh, you probably work with a diversity of associate business associates at, at Scan , and so , um, there's I think, different levels of sophistication when, you know , working with a business associate. Um, I was hoping that maybe you could kind of talk a little bit about, you know, your role, you know, in working with these, these business associates and just, you know, do you happen to, do you have to kind of lay out , um, you know, really what the risks are or, you know, are you coming at it more from, you know, a more kind of focused , uh, perspective?

Speaker 3:

You know, very good question. I think for our business associates, I mean, it's, it's here at Scan , we have kind of like a streamlined process where I work, I'm part of legal, but I also work with the practicing attorneys who are onboarding , uh, our business associates with our procurement department. So once we realize that p h I isn't gonna be shared, you know, we take it through another analysis, we try to figure out what p h i , is it gonna be shared, is it gonna be shared onsite with the vendor? In other words, are we gonna give them access to our system, or is it a situation where they're gonna take our P h I offsite and it's gonna be, you know, used, accessed , um, monitored wi within their system . So we do, we do that analysis, and then we also, you know, work with our security folks where we ask certain questions related to whether or not, you know, the business associate is capable and are they adhering to security rules standards to ensure that the security aspect of their systems and data , um, you know, allow for the transfer of data in a secure manner. So, so once, once we take it through , uh, you know, that process, you know, we ultimately make a determination, a thumbs up or thumbs down, and then we do a, a further risk assessment in the discussion with our executive team. And then we decide to move forward if we decide to move forward. You know, we typically use our standard business associate agreement. We, we want all of our business associate agreements to be on our paper. Uh, and we believe that our terms are fair , um, to, to most of our vendors. And, you know, if, if negotiations are needed, you know, we, our legal , uh, practitioners will engage, or I will engage , um, you know, the privacy office or the , or the legal staff from the vendor side, and we can hammer out, you know, any , uh, disagreements , uh, that may arise.

Speaker 2:

Great. It sounds like, you know, at Scan there's kind of a really , uh, you know, inclusive , um, you know, multi kind of disciplinary approach to this. And I think, you know , uh, it , it's really telling that, you know, you're involving a bunch of different stakeholders, you know, especially in regards to, you know, security obligations, contracting obligations, privacy obligations that arise with these things. Um, I , like , I wanted to get kind of, you know, again, given your diverse background mm-hmm. <affirmative> , um, just a little bit of perspective on, you know, maybe how that process may have developed , um, you know, while you were at Scan , is this something that was in place? Have there been, you know, kind of any unique , uh, contributions that, you know, or changes to , uh, how you process , um, you know, business associate agreements and , uh, vendor agreements and things of those, of that nature? Um, you know, in terms of just the, the internal structure of , of how those , uh, elements are escalated,

Speaker 3:

You know, I think that the process here was previously in place prior to me arriving, and I think that after I arrived , um, the practitioners got me more involved in reviewing some of the language related to the standard business associate agree template, number one. Number two, reviewing all of our agreements to make sure that they were omni Thebus compliant. That means that they contained the right language that , uh, O I G H H S , uh, suggested the agreements have since the, you know, 20 13, 20 14 final rule , um, in making sure that they were in place. But I think another thing that we've been fortunate to do since I've been here is that we've developed a business associate agreement , uh, response process. So if we have a business associate that's caused an infraction or incident or a breach , um, you know, we engage in a legal process where we're sending a legal letter to them, asking them to confirm incident details, dates, times impact , uh, just so that we can frame and record , uh, the incident for any OCR R reporting. Uh, and that also gives us an opportunity to , um, you know, reach out to the vendor , um, to check them, to make sure that they're adhering to, you know , the business associate agreements. Uh, and it, it gives us an opportunity, again, to see that the mitigation response in plain English, and as a result, you know, we can use that for our OCR r filings and we can make sure that the breach mitigation is completely , uh, buttoned up, if you will. So I think that business associate agreement, legal letter writing process is something that was instituted and , um, you know, it's proved to be very valuable. Um , you know, in, in the mitigation process and also reporting up internally, like that document can be used to report to E L T for discussion points. You can, you know , um, sift off or distill an executive summary off of some of the data. And, and , and again, it's, it's making and it's collaborating with your business associates to, to share that information , uh, because they're the ones with the information, they have a duty to provide it. So we've found that that's a good way to kind of, you know, get that information for mitigation.

Speaker 2:

That's, that's really fascinating. And honestly, a very forward kind of thinking, especially from a law firm perspective, you know , uh, a very forward thinking kind of system to, you know, maintain at a health plan. Um, you know, we deal in our law firm, you know, with responses to a lot of these, and often, you know, there's not , um, kind of that documentation and, and that paper trail that, you know, we can follow . And it's something that, you know, we'll , we need to kind of tease out of of businesses per se. So , um, you know, to hear that scan has something like that in place is, is really encouraging. And, you know, this, this kind of breaches nicely into our next topic, no pun intended there, <laugh>. Um, but , um, you know, the topic of breaches is a big one, I think for our listeners. And, and so , um, you know, there's a statistic out there according to the last 2021 Congressional report, you know, health plans account for, you know, 15% of all P H I related breaches , um, you know, one of the bigger , uh, HIPAA related settlements, you know, in 2015 from Anthem, you know, 78 million , uh, you know, people, you know, affected, you know, 16 million fine. These are, these are big numbers that, you know, that truly , um, you mean scare people both, you know, in , uh, in house capacity and at , at a law firm too. Um, so, you know, I think I wanted to kind of frame our next portion of our discussion here just around, you know, four kinds of healthcare breaches that have, you know, occurred in health plans and kinda get your thoughts on, on these, you know, what maybe, you know, you would've done, or, you know, if there are these kind of controls at a place like scan , uh, to, to prevent , uh, against it. So , um, you know, maybe it will start with , uh, something that seems so simple, but, you know, obviously, you know , in a , even a hospital system or , um, any healthcare related organization, you know, occurs more often than you might think. Um, and it's just, you know, carelessness, what have you. But , um, for example , uh, we'll start with Affinity Health Plan. Um, this is a breach , um, that occurred , um, and it was a result of , um, a , actually a C B s , uh, investigative report. They had , um, obtained a , um, photocopier from , uh, affinity Health Plan, and there was , uh, data, patient data on these hard drives that were in the , um, actual photocopier <laugh> mm-hmm . <affirmative> . Um , so this affected 344,000 individuals. There was a , you know, 1.2 million payment. Um, you know, they , they cited, you know, the compliance like lack of compliance rather , um, with, you know, the security rule . So, you know, I think this specific breach kind of touches just on, you know, loss and control or, you know, not being able to account for, you know, any sort of physical items that are being sent out to vendors or, you know, being disposed of. Uh, maybe you could talk a little bit more about your take on this and, and just, you know, how, you know, can somebody, you know, or how can scan can control against these kind of things from occurring?

Speaker 3:

Yeah. This incident , uh, was unfortunate cuz you had about approximately 400,000 individuals who , uh, p h I was unfortunately breached. I mean, I think in this situation, and if you probably looked a little deeper at this one, you know, what should have occurred. And what we would've done is ensured that the equipment was wiped, if you will, prior to being returned to the vendor. And , and part of this is, is that , um, because we're dealing with a lot of complex laws and , uh, devices, if you will, maybe your average employee, your average procurement person doesn't realize that p h I could be part of these devices. And so it , so you really need to back it up and say, Hey, what are in our procurement process , uh, is, is, you know, the devices, are we purchasing? Are they , um, are they gonna contain P H I or store p h i , if so, then, you know, maybe you, you, you work with your privacy department at that time to do some assessment. But certainly , um, in the modern age with these devices, I think wiping or, or, or, or taking off or removing the p h i from these devices, once you relinquish control is, is just paramount to to, to HIPAA privacy . The other thing is, is the OCR r I know within the last five years has really investigated many health plans and hospitals for the disposal of p H I that could be paper and also on these devices. So I've seen an increase in investigations are related to that. So it's really where , um, you know, health plans and providers need to go that extra step or extra mile to ensure that devices are wiped to ensure also that any PA paper, p h i , uh, that may be outside of their control , uh, is , uh, disposed of or destroyed appropriately , um, such that it doesn't , um, you know, it doesn't c cause an issue. I, and I can tell you, I once worked on the case where we had an employee that reported , um, disposal of P H I by their spouse , uh, in a trashcan out front. Uh, and obviously that's not the best way to do it. Uh , there are ways for proper disposal of P H I and I think , uh, health plans and others should really look at those rules. And OCR provides some guidance on how that, you know, how that can occur. But this one was unfortunate.

Speaker 2:

I agree. And, and, you know, I think people kind of, you know , overlook the , the , I don't wanna call it low tech , but you know, really just the , the importance of maintaining control over, you know, the , the , the physical things, you know, the , the physical pH I, I know, you know, there has been a move towards, you know, making everything electronic nowadays, but that doesn't discount, you know, the risk that, you know, the tangible, you know, physical items posed and, and the, you know , breach risks that are associated with that. So, you know, maybe moving on to , you know, something a little bit, slightly more high tech , but, you know, equally dangerous is, you know, the , the risk of a , of a malware attack and, and not having kind of the appropriate controls in place there. So , um, this breach , um, with Excel's Health Plan , um, you know, 9.3 million individuals , um, a fairly prolonged period in which it wasn't detected, I think somewhere around the neighborhood of four to five months. And, and that resulted in a , a 5.1 million fine. And , uh, malware obviously is something that , um, affects a number of healthcare organizations and is always kind of a risk. But , um, you know , uh, everyone always talks about maintaining those, you know, important, you know, internal controls to detect these things and, and working closely with it. But, you know, maybe could you talk about just, you know, a little bit more of the specifics of how that works and, you know, how could somebody prevent, you know, something like this going on for just so long?

Speaker 3:

Yeah. This is another unfortunate event again. Uh, you had , um, many, many, many people affected here. And I, when I look at this Excel's case, I think about the fact that maybe Excels should have performed an annual security assessment along with an annual network risk assessment. Typically, these can be done through a third party vendor data health plan or a physician or provider would contract with , uh, to perform this testing if they can't do it for themselves, number one. Um, and then also , uh, you know, in terms of IT security, there's certain penetration testing that should be done on an annual basis. And that's something that we do here at Scan is that we actually ping our network, our servers, our infrastructure, and we test it to , uh, determine whether or not we can actually penetrate it , um, to see if we can actually , uh, bring the system down. Again, if, if, if health plans can't do this on their own, they can certainly hire third parties to assist them with monitoring and conducting these tests. And I think for something like this , uh, it's unfortunate cuz it looks like the , um, the malware , uh, was installed for an extended period of time, and if , if the , um, you know, health plan was not aware of that, then , you know, for many, many days , uh, that PHI would've been exfiltrated or scraped off of the , uh, the server. So, very unfortunate. I think the last thing is, is that you must educate your employees on what, you know, malware is the forms that it basically comes in and you know how to avoid the, the near occasions or the temptations to click on , uh, emails , uh, that you're not familiar with, or icons that you're not familiar with. Um , because a lot of these attacks are very sophisticated. Um, and here at Scan, what we do also is that we perform our own internal , um, test of fishing exercises for employees to see whether or not they'll take the bait . So we have a pretty good , um, uh, we have a pretty good rate of our employees not taking the bait . And so we, we conduct that testing not only annually, but on a monthly basis through, you know, email , uh, simulated phishing attempts .

Speaker 2:

That's great to hear. And you know, I think, you know, maybe we can talk about, you know, the importance of, of really, you know, training employees and, and, and your workforce members on, you know, just the , the dangers of fishing and , and how that's involved. Um, you know, there is a breach for Highmark and , you know, February, 2023, you know, and, and they affected that affected 300,000 individuals. And , um, that was, you know, a straightforward email phishing attempt, you know, an employee clicking a link that looked legitimate. Um, but, you know, led to this, you know, this entire fallout. So maybe on that topic, you know, can you talk a little bit about, you know, the kind of training you offer your employees at Scan , you know, maybe even all the way up through the, the C-suite level, you know, making them aware of just, you know, the risk that this, you know, fairly low tech kind of, you know, a approach has and, and the implications involved.

Speaker 3:

Yes . So in relation to the Highmark breach, I mean, I think part of the , uh, proactive and mitigation would be that you , again, you must do the annual HIPAA training, and that's something that we do here at Scan for every , uh, employee and for our workforce member members. And we also , um, have education, HIPAA education for our C-suite and executives , um, to make sure that they're aware. Um, we also have specific HIPAA training that can be done on, let's say, unauthorized , uh, disclosures on , um, um, you know, release of information, things of this nature , um, you know, what is a breach , uh, what is an incident? So there are many different ways where you can train , uh, the workforce to make sure that they can identify , um, fishing exercises and really to explain to them the, the result. Because if you have a result where systems are down , um, that could throw off all of your, you know, your operations , um, from printing to sending out, you know, membership cards to paying claims , um, you can really , um, really be placed in the bad way if you , if you don't have the education. But I think education, HIPAA education is something that we do here , um, at Scan , uh, we have a vigorous process. I think the other part of it is too , um, when I started here at scan , I implemented a more robust , um, monitoring of HIPAA discipline such that, you know, there's certain levels of discipline , um, that we meet out for individuals who cause , uh, HIPAA incidents or breaches, and it may be become progressive and through HIPAA discipline, that's a way to kind of narrow the scope on some of these incidents that arise. Uh, and it supports the education , uh, you know, that we do under the rules, the HIPAA discipline is required, but it needs to be fair and consistent. So that's what we try to do here at scan . We have a discipline process for HIPAA incidents, but it's consistent and it's fair, and each case is reviewed , uh, independently. And then lastly, I would say that in , in , in terms of some of the issues that we see related to phishing , we will block some of the engagement coming into the network, or if employees are trying to send emails, they maybe contain P H i outside of , um, the organization, we have the D L P or data loss prevention process, which assists us , um, in bringing down some of these incidents as well.

Speaker 2:

That's great to , you know, hear kind of that, that really targeted approach, you know , internally and to , you know, to keep the, the organization accountable and individuals in the organization , uh, you know, accountable for, you know, potentially, you know, causing, you know, the , the type of , uh, breaches that we're, we're talking about here. Right. Um, I wanna turn back a little bit maybe to , uh, something you had mentioned earlier, which is just kind of HIPAA and also, you know, the state specific laws and the fact that you mentioned that there's kind of this interplay between, you know, the federal and state level of things mm-hmm. <affirmative> , um, you know, a , a breach , uh, actually in California, you know, with partnership health, you know, a ransomware breach. But , uh, you know , uh, it brought up interesting implications regarding just, you know, how HEPA interacts with, you know, California state law. I'm aware that, you know, HIPAA has, for example, a 60 day notification, but California I think is slightly more stringent, you know, 15 days if I , if I recall mm-hmm . <affirmative> , um, you know, so, you know, from your perspective, you know, how does, how do you see this kind of interplay working when it comes to the , the state law component of things? And, you know, does that complicate things? Because everyone always says HIPAA is just the floor, you know, the ceiling is as high as the states want it to be, right?

Speaker 3:

Yeah, that's right. I mean, some of the state laws are very stringent, you know, and under the Constitution state laws can be more stringent, so long as they do not conflict with the federal or national constitution. And so under hipaa, they, they definitely follow that rule. Um, yeah, California is very strict with some of the privacy laws that they have. Uh, in some cases it's 15 days reporting, but for health plans it could be even less than that. So, for example , um, for D H C S , um, that, that would be , uh, five days, or it could be 24 hours for an incident or for a breach, or it really depends on the contract that the health plan has in has , uh, uh, executed. And so , um, yes, HIPAA is the floor 60 days for reporting, unless it's for 500 or more members for a known breach, and you would have to report that immediately. Uh, but yeah , California, many, many , uh, local and , and , and state regulators would say it could be 24 hours up to , um, you know, 15 days of reporting.

Speaker 2:

Great. So I think a common, you know, up thread through all these breaches is just really the importance of, you know, maintaining, you know, communication across, you know, the , the , the company and, and, you know, making sure that each element within your, you know, your company is, is really , uh, kind of informed about the , the risks involved and, and kind of what their obligations are and what they need to do to prevent these kind of breaches from happening. Um, I was wondering if you could talk a little bit, a bit just about like how if a breach were to come through Scan would kind of staff , um, you know, in terms of, you know, how they would address the response. You know, would there be, you know, some sort of standardization of, you know, practices , uh, you know, getting, you know, certain people involved at , at specific , uh, periods of time , uh, you know, just, you know, how, how would scan approach that and , and how would, how have you approached that? You know, and even, you know, outside of the scan if, if this occurred at your, your, you know, past , uh, positions,

Speaker 3:

Right? So that, that breach response is a large portion of what's occurring with HIPAA and the HIPAA practice. I mean, I think it starts with ensuring that your staff understand that any type of incident or breach should be reported. Our rule is that it should be reported internally within an hour, because if we have , um, regulatory requirements to report within 24 hours or three days, then that means that we need to be able to get that information as soon as possible. In order to do that, I think that staff in the workforce need to know who is re be reported to. So here you can report it to the hotline, you can report it to your manager , uh, you can report it to the privacy office , uh, directly, et cetera . Uh , you can report it to hr , um, et cetera . So I think that that's important, but I think most importantly, each organization should have an incident response plan, and that response plan should kinda list the steps that are really , uh, needed in order to assess and review an incident , um, to make a quick assessment. And usually those are quote unquote called Tiger Team . So those are gonna be your legal and privacy and security experts, maybe a team of five or less that can quickly assess the issue , um, and rank it in terms of severity of it's low, medium, or high. And then based on that is, it really is, do we know right now whether or not it's a breach? If it's a breach, then that's gonna trigger some other obligations. Um, if it's not, then it's, you place it on that 60 day HIPAA timeline that it's, it , it is actually a, a privacy incident, but you likely have more time to evaluate again, for example, even if it is a breach or even if it is a privacy incident , um, you , you still have in some cases, a duty to report that and, and still to follow up even for things that will be considered unauthorized disclosures that do not rise to the level O of a breach. But yeah, I, I think that it's important to have an incident response plan. We have one here at scan , and you know, you work with your IT security, legal and privacy teams to make sure that you have the appropriate people in place. Um, generally those are called TIGER teams, and those teams will work to assess, mitigate and, you know, resolve those reported incidents. And I, I think lastly too is that you want to make sure that you have a system where you can record the incident or the breach such that the re recordation supports any notifications that you need to make to members, patients, and certainly to state regulatory bodies.

Speaker 2:

Absolutely. And , and it's great again, to, to hear that there's such a proactive system in place and that there are multiple avenues by which, you know, employees and, and , and people in your workforce can, can report these kind of breaches. And that, that there's a system to , uh, escalate it to these, these various teams. Um, you know, I I think, you know, a lot of our listeners will hear , um, you know, a variety of different kinds of, you know, advice in terms of, you know, setting up committees or mm-hmm . <affirmative> , you know, getting, you know, certain reporting obligations , uh, you know, in a , a specific time period for potential breaches or, or, you know, things that could be deemed a breach. Um, you know, you've been obviously at this for, for quite a while. So , um, you know, I was curious, you know, and I , I think our listeners also would be curious to hear if, you know, there's the kind of things that you hear, you know, out there , um, you know, is that, you know, may or may not work. Um, so , you know, is there anything that you know, is, you know, you could call, I guess, conventional wisdom , um, you know, that you've seen maybe not kind of play out, you know, it , you know, it looks good on paper, but maybe in practice it's, you know, a little bit iffy.

Speaker 3:

Right, right. No, that's a good point. Um, you know, a couple of things, maybe , uh, a covered entity or a health plan or a provider solely relying on their business associate to complete the mitigation without the covered entity's involvement. So , um, you know, it's, I've found that it's important to really engage your business associate when they report an incident or breach, because sometimes what can happen is they may investigate for a while and they may tell you within the 60 day deadline at day 31, oh, everything looks good, you know, we don't believe that any of your data was impacted. And then let's say on day 50, they come back and say, you know what? There was impact. And if that's the case, there's a question as to whether or not you have 10 days early to resolve the case. And if it's a security incident, very rarely is a security incident gonna be solved within 10 days. So again, beware of relying on your business associate to give you the complete details without you actually getting involved. And so , um, that's why we, I implemented, you know, that business associate legal letter writing process to ensure that we're telling our business associate, Hey, we're aware of the report, we need the data as soon as we can, we wanna work with you. We need to do whatever we need to do to bridge the gap. So, and then secondarily , um, I would say if the health plan or the provider is failing to request from your business associate , uh, a privacy or incident risk assessment of the incident, because, you know, in my experience, sometimes, you know, the business associate will not have any risk assessment that they will send to you or incident risk assessment, and it's important to get their understanding of whether or not they actually thought it was a breach or not . Um , because you can use that or any explanations that you need to provide to state regulators or to O C R about the incident or breach. So it's always important to get that risk assessment from your business associate for any incident or breach that they report.

Speaker 2:

Great. Absolutely. And , and those are, you know, very important things that I think, you know, our listeners will be glad to, you know, hopefully implement into their own , uh, practices. So, you know , as we kind of wrap up here, you know , uh, is, do you kind of have any parting thoughts for those, you know, who are looking to manage their, their hip obligations? You know, even, you know, outside of a health plan context, just, you know, general best practices or, you know, any other, you know, valuable information I think you'd like to convey to, you know , uh, as somebody kind of sitting in your shoes?

Speaker 3:

Sure. That's a good question, and I, I appreciate you asking that. I, I have , uh, just a few here. Uh , number one, just whatever you do, make sure that your HIPAA or privacy incident reporting is on time, because sometimes if it gets beyond the time period for reporting, that really starts a bad chain of events with the regulators, and then they're gonna want more and more information that you may or may not have. So make sure that your incident reporting is on time based on your contractor , based on the law. Um , I would say next, provide your regulator with a courtesy incident or breach notice if needed. Sometimes you don't have all of the details, but sometimes you can provide a courtesy notice to regulators. They really appreciate that, that helps to collaborate with them. Uh, if you get some abrasion down the road related to what you did or did not do with respect to the incident, I think courtesy notices really helped because it shows the regulator that you're on top of things and that you're involved with , with mitigation and you're really concerned. Next, I want to make sure that folks are, have an incident response plan, and that that plan is basically you practice that plan on an annual basis. So here at scan , we practice planning for breaches on an annual basis. You have many, I know Experian and others, you know, can work with , uh, health plans to practice an incident response or breach response. So practice that, it's very important. Uh, just a few others. Make sure that you have , uh, organizational communication plan about breaches. So we talked earlier about the TIGER team. So once your Tiger team makes that low, medium, or high severity assessment, if it's high, then you probably want to , uh, get some communications plan out to your e L T about potential impact. Um, and really that impact could be to your, to your help desk. Like if people start calling in about , uh, the breach, you know, what are you gonna say to you? What , what's your messaging? You want to make sure that you, you have messaging available. Next, if a business associate is involved with the incident, you wanna make them aware of their obligations under hipaa. And again , you want to follow up with the appropriate business associate agreement letters as we've discussed. Uh , and then lastly, be aware of any government contract reporting obligations or reporting to state agencies . So the , uh, attorney General's offices and certainly the Department of Insurance offices , uh, they want to be notified of these security incidents. And certainly on the local level, you'll have your local health department that may want to be , uh, informed of smaller breaches or incidents.

Speaker 2:

Anthony, these are all great takeaways and, and thank you again for, you know, taking the time to, to speak to me and, and also to kind of inform the listeners of, you know, all these valuable best practices and, you know, takes to avoid , uh, you know, having, you know, these HIPAA kind of issues arise. So , um, you know, we thank you very much again for your time. Um , again, my name is Andrew Solar . I'm here with , uh, Anthony Archer. And , uh, it was great to meet you and great to host this podcast today. Thank you.

Speaker 3:

Thank you very much.

Speaker 1:

Thank you for listening. If you enjoy this episode , be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org .