It’s a day every CISO dreads.
You think you’ve been doing everything right, but despite your best efforts, you’ve experienced a HIPAA breach, and now the OCR is coming in to perform an investigation.
What should you do?
First, take a deep breath. Relax. While what you do in the following weeks and months is important, what’s most important is how you handle the situation.
Have you taken a deep breath yet? Okay, read on.
1. Accept that you’re not in compliance with HIPAA.
By definition, if you’ve experienced a breach, you are not in compliance with HIPAA.
“I know, Mark. Why are you telling me this?”
One reason: This is the mindset the investigator will have.
A breach indicates non-compliance with HIPAA. It’s the investigator’s job to find out what that problem is and to address it. The quicker you accept this fact, the more likely you’ll be to begin the investigation on the right foot. As you’ll realize through the course of this article, handling a breach appropriately has more to do with mindset than anything else.
2. Don’t fight with the investigator. Work with them.
“No one beats city hall.”
Have you ever heard that saying? It’s especially true in this case.
Understand you are unlikely to win(in the traditional sense) in this situation. It’s simply not worth it to fight your investigator tooth-and-nail. They are the person in power here. Play the cards you are dealt—not the ones you wish you had.
That said, still work with your internal and external counsel, but do so with the mindset of coming alongside the investigator, not beating them. It’s you two versus the problem, not you two versus each other.
The fact is: Your company is likely going to receive a fine. However, the amount of that fine—as well as the health of the company—is dependent upon how well you comply with the investigation.
3. Document everything—and maintain that documentation.
While investigators are interested in your current policy, they’re more interested in what your policy looked like when the breach happened. They are investigating to determine the root cause of the problem to help ensure it won’t happen again.
Because of this, it’s important to maintain documentation from before, during, and after the breach. HIPAA’s statute of limitations is six years. Make sure you’re retaining documentation for at least this long. Beyond that, document everything you did to find the breach, remediate it, and move forward from it.
4. Understand you have a story to tell.
Want to get on your investigator’s good side? Here’s how to do it: Understand you’re telling a story that goes like this:
- Bad things (like a breach) happen to good people.
- This breach identified a weakness in your control structure.
- Here’s how you identified it.
- Here’s how you’re going to fix it/have fixed it.
- Here’s how you’re progressing.
- And, here’s how the control structure is working better now.
If you’ve had a breach—perform a risk analysis. (Even if you haven’t had a breach—perform a risk analysis.) Afterward—remediate the risks you have found. Nothing will provoke more ire from an investigator than discovering the breach occurred from a vulnerability you had known about for a significant period of time.
If you’ve experienced a breach—or, if you’re trying to prevent one entirely, LBMC Information Security can help. Our team of qualified security experts knows how to create and run an effective security program. Contact us.