Learning@ Series: Privacy, HCCA Charlotte Regional Conference


Privacy tips from industry leaders, shared via ComplianceLine Insight

ComplianceLine attended the 2019 HCCA Charlotte Regional Conference. In the kickoff session, Privacy and Security Case Study Roundtable, we heard contributions from leaders at Harbin Clinic, Atrium Health, and the FBI. Read below to share in what we are Learning@ cybersecurity, phishing (including cybersecurity), and breaches (large and small, OCR).

  • You need a team
    • Get your departments (security, privacy, legal, compliance) familiar and in conversation
    • Target conversations to both strengthen your coordination and prepare¬†for the inevitable
    • Get your executives to understand how stories in the news would look for the company itself
  • Even as security tools advance, there are gaps you need to manage so you should keep looking for effective improvements
    • People are the main way to breach via mistake, phishing, etc.
    • Proper response requires deep review, assessment, preparation, etc.
    • You can’t respond as quickly as you need to unless you are thoroughly prepared
  • Federal standards for ‘large breach’ and notice is 60 days, but this can vary by state.
    • A state’s notice standard can be as low as 5-30 days!
    • For small breach of less than 500, reports* are due to Secretary no less than 60 days after end of calendar year when occurred
    • Report, contact, discuss, and request a deadline extension if needed
  • Risk assessment: this is holy grail!
    • So you should have an action plan/template AND risk assessment for every *potential breach.
    • Also, Risk Assessment tells you step by step if you need to report to the affected individual, OCR, or media.
    • Therefore, proper Risk Assessment may impact (even remediate or reduce) a fine
  • Covered Entity is required to do notification but¬†can delegate to Business Associate
    • If a breach affects >500 in a state/jurisdiction, then you’re required to notify to prominent media in that state/jurisdiction.
    • Can be press release to media and should not be an unreasonable delay (in any case, less than 60 days).
  • Given the complexity and work involved, you should hire an outside firm to handle calls after notification.
    • One panelist witnessed over 10,000 calls to their call center
    • Additionally, they dealt with 250 issues escalated to internal team (also came from website).
    • Relatedly, you must have a toll free number for 90 days where people can request info
    • One panelist had 2,200 credit monitoring requests out of 24,000 potential. Because of this, they felt offering it was reasonable and helpful to the people who needed it.
    • ComplianceLine is well positioned to handle both the escalated call volume and the protocol for escalated issues via our standard hotline service (ongoing) and/or our specialty crisis line service (special project).
  • You should also note that a “small breach” requires notification via USPS within 60 days. Secondly, you should comply with requests for additional details, apologize and offer a year of credit monitoring

The CL Insights Learning@ Series seeks to share information and impressions about things we’re ‘learning about’ with compliance professionals interested in personal and professional growth. We’ll periodically share resources, summaries, and concepts from the myriad learning opportunities all around our industry. The above should not be taken as advice, legal or otherwise, from ComplianceLine. If you’d like more information, please contact Insights@ComplianceLine.com for a direct consultation or for a referral to one of our qualified Partners.