Five Steps to Prepare for Telehealth Data Breach Litigation
- Avoid the Breach
Breaches always have costs, not the least of which include reputational costs and lost business. Don’t let the temporary relaxing of HIPAA Security Rules lull you into settling for second-rate technology vendors. Even if you comply with HHS’ current relaxed requirements, state laws can still be more stringent and patients may still sue you if their information is compromised. Accordingly, use a HIPAA-compliant telehealth service provider who agrees to sign a business associate agreement. For additional guidance on particular cybersecurity steps to follow, see here.
- Monitor and Prepare for the Breach
The longer a breach goes undetected, the greater the costs of cleaning it up. Make sure you have a process in place to monitor access to patients’ PHI. Monitoring is particularly important in the health care context, where breaches resulting from intentional bad actors are more common. Beyond that, know what to do if a breach occurs by having an incident response plan in place. According to the Ponemon Institute, companies that have and extensively test their incident response plans save more than $1 million in costs after a breach.
- Make a Paper Trail
Document your privacy and cybersecurity efforts, including facts and data sufficient to support the decisions. This should include a description of any reasonable equivalent alternative measures undertaken. Periodically review your documentation and update as needed in response to changes to your environment or operations. Maintain records of all risk assessments and of investigations into any prior security incidents. Consider the involvement of counsel so that any documentation, not otherwise required under HIPAA, may be protected by the attorney-client privilege.
- Be Mindful of Your Representations
When it comes to privacy and cybersecurity, as with anything else, know what you are promising and follow through on it, or you could face claims ranging from negligent misrepresentation to breach of contract or fraud. Always inform patients of the risks and get their consent to proceed.
- Involve Subject Matter Experts