A healthcare data breach can prove costly to an organization's bottom line and its reputation. Here are five best practices for crisis communication during a breach.
1. Do the required risk assessment. When the HITECH Act went into effect in September 2009, it included an expansion on existing HIPAA regulations and required hospitals to conduct a HIPAA security risk assessment. "With the trend in enforcement we've seen in the last year, more and more providers are doing the required assessments to understand where their priorities need to be and how they should be best prepared," says Rosemary Plorin, partner and senior vice president of Lovell Communications in Nashville, Tenn.
The intention of the risk assessment is to help hospitals identify areas of risk and vulnerability — and in the days of thumb drives, smartphones and laptops, there are plenty of opportunities for the use of unencrypted devices to lead to an accidental release of patient data. Laptop theft was recently named the number one cause of healthcare data breaches.
2. Prepare for the worst. Of those organizations that have experienced a breach, many simply had not rolled up their sleeves to figure out plans of action beforehand. "Hospitals need to be prepared to deploy an emergency response team and conduct a root cause analysis just as they would with a clinical issue," says Ms. Plorin.
Ideally, that team will have already considered a plan of correction in the event of a breach — and communication should be a key component. This plan will include a timeframe for notification of patients, providers, employees, business associates, strategic partners and media outlets. "Timing needs to be as closely synched as it can be," says Ms. Plorin. The timing of these notifications, however, needs to be carefully planned. A hospital does not want to reach media outlets before contacting those affected by the breach.
3. Go beyond what is prescribed by the government. Patients feel especially vulnerable and uneasy when data breaches occur at hospitals, since those are the same organizations they trust with their health. When it comes time for outreach after a large-scale breach, patients will want to hear from the top of the organization, according to Ms. Plorin. Messages should be created with the expertise of legal and communication professionals to match risk management and patient advocacy needs. "Look at your communication and make sure you're not being cagey or bureaucratic with your language. A sincere message of regret offered by the organization's leadership can go a long way toward reassuring patients," says Ms. Plorin.
Though the federal and state governments have established strict guidelines on what needs to be communicated and when, hospitals need to go beyond that. "Provide as much information as possible to help people protect themselves against identity theft," says Ms. Plorin. "If financially possible, invest in providing patients with protective services for a year. It's an extra cost, but it tells the patient you'll protect them."
4. Maintain solidarity between departments within your organization. When a breach occurs, departments within the hospital may be looking over their shoulders or seeking someone to blame. "Breaches are very often the result of a systemic weakness. No one is served by pointing a finger at one person or one department," says Ms. Plorin.
Breach experiences, while painful, force hospitals to carefully evaluate their practices and identify all potential gaps in security. "Recovery from a breach should be an opportunity to become a stronger, more compliant organization. Every department, every employee and every person associated with the hospital should be reminded of their responsibility to protecting patient health information and maintaining patient trust."
5. Make sure all communications and services are consistent with your organization. Organizations tend to exhale once they have mailed the notification letters, posted the news release, established a hotline and launched a website. But it shouldn't stop there. The hospital needs to go beyond the notification process and maintain strong presence throughout the entire process. An opportunity is lost when hospitals don't take the breach as a time to express sincere regret and become a staunch advocate for patients.
Offering protection services to patients impacted by a breach is proving to be a gold standard. These services, such as credit monitoring and notification, should be consistent with the hospital's brand and culture. For instance, hospitals should pay attention to how callers who dial the hotline are treated. "The expectations of a patient are very different from those of a department store customer or credit card holder," says Ms. Plorin. "It's a failure if someone e-mails a hospital website after a breach notice and no one responds for a week."
Learn more about Lovell Communications.
Read more about hospitals and data breaches:
-Protecting Patient Data to Protect Your Hospital: A Guide
-What Hospitals Need to Know About the ARRA and the HIPAA Updates
-Data Breaches Cost U.S. Hospitals $6B Annually
1. Do the required risk assessment. When the HITECH Act went into effect in September 2009, it included an expansion on existing HIPAA regulations and required hospitals to conduct a HIPAA security risk assessment. "With the trend in enforcement we've seen in the last year, more and more providers are doing the required assessments to understand where their priorities need to be and how they should be best prepared," says Rosemary Plorin, partner and senior vice president of Lovell Communications in Nashville, Tenn.
The intention of the risk assessment is to help hospitals identify areas of risk and vulnerability — and in the days of thumb drives, smartphones and laptops, there are plenty of opportunities for the use of unencrypted devices to lead to an accidental release of patient data. Laptop theft was recently named the number one cause of healthcare data breaches.
2. Prepare for the worst. Of those organizations that have experienced a breach, many simply had not rolled up their sleeves to figure out plans of action beforehand. "Hospitals need to be prepared to deploy an emergency response team and conduct a root cause analysis just as they would with a clinical issue," says Ms. Plorin.
Ideally, that team will have already considered a plan of correction in the event of a breach — and communication should be a key component. This plan will include a timeframe for notification of patients, providers, employees, business associates, strategic partners and media outlets. "Timing needs to be as closely synched as it can be," says Ms. Plorin. The timing of these notifications, however, needs to be carefully planned. A hospital does not want to reach media outlets before contacting those affected by the breach.
3. Go beyond what is prescribed by the government. Patients feel especially vulnerable and uneasy when data breaches occur at hospitals, since those are the same organizations they trust with their health. When it comes time for outreach after a large-scale breach, patients will want to hear from the top of the organization, according to Ms. Plorin. Messages should be created with the expertise of legal and communication professionals to match risk management and patient advocacy needs. "Look at your communication and make sure you're not being cagey or bureaucratic with your language. A sincere message of regret offered by the organization's leadership can go a long way toward reassuring patients," says Ms. Plorin.
Though the federal and state governments have established strict guidelines on what needs to be communicated and when, hospitals need to go beyond that. "Provide as much information as possible to help people protect themselves against identity theft," says Ms. Plorin. "If financially possible, invest in providing patients with protective services for a year. It's an extra cost, but it tells the patient you'll protect them."
4. Maintain solidarity between departments within your organization. When a breach occurs, departments within the hospital may be looking over their shoulders or seeking someone to blame. "Breaches are very often the result of a systemic weakness. No one is served by pointing a finger at one person or one department," says Ms. Plorin.
Breach experiences, while painful, force hospitals to carefully evaluate their practices and identify all potential gaps in security. "Recovery from a breach should be an opportunity to become a stronger, more compliant organization. Every department, every employee and every person associated with the hospital should be reminded of their responsibility to protecting patient health information and maintaining patient trust."
5. Make sure all communications and services are consistent with your organization. Organizations tend to exhale once they have mailed the notification letters, posted the news release, established a hotline and launched a website. But it shouldn't stop there. The hospital needs to go beyond the notification process and maintain strong presence throughout the entire process. An opportunity is lost when hospitals don't take the breach as a time to express sincere regret and become a staunch advocate for patients.
Offering protection services to patients impacted by a breach is proving to be a gold standard. These services, such as credit monitoring and notification, should be consistent with the hospital's brand and culture. For instance, hospitals should pay attention to how callers who dial the hotline are treated. "The expectations of a patient are very different from those of a department store customer or credit card holder," says Ms. Plorin. "It's a failure if someone e-mails a hospital website after a breach notice and no one responds for a week."
Learn more about Lovell Communications.
Read more about hospitals and data breaches:
-Protecting Patient Data to Protect Your Hospital: A Guide
-What Hospitals Need to Know About the ARRA and the HIPAA Updates
-Data Breaches Cost U.S. Hospitals $6B Annually