Tag Archives: hipaa

How SMBs Drive Innovation in Cyber

Large organizations have long understood the intrinsic value of customer data. Using it to formulate and execute on key business decisions, enterprises can better meet customer demand, anticipate a buyer’s propensity to purchase and stay ahead of savvy competitors. Because of the substantial amounts of resources required to successfully leverage customer data, and considering its highly confidential nature, large companies have also traditionally led the pack in implementing cyber insurance to protect this crucial business asset.

Despite having fewer human and monetary resources, small and medium-sized businesses (SMBs) have started joining in on the data-driven movement, leveraging their existing customer data to deliver superior customer experiences and, in some cases, successfully compete with large organizations. Protecting that invaluable intelligence, however, has historically been overlooked. Many SMBs assume they aren’t as much of a target as large companies are, or they simply aren’t aware that cybersecurity tools are available to them. Plus, complex buying processes and exorbitant pricing often prohibit even the most knowledgeable SMBs from adequately protecting their assets.

New and Improved SMB Habits

Thankfully, times are changing. As SMBs continue to take advantage of the business benefits that leveraging customer data can provide, they’ve caught on to the merits of defending their customer data with cybersecurity measures such as cyber insurance. In fact, it’s fair to say SMBs will drive the next wave of cyber insurance adoption.

See also: Cyber: Black Hole or Huge Opportunity?  

According to recent research conducted by my company, demand for cyber insurance has skyrocketed among the SMB market as of late, with the highest quarterly growth being 150% and averaging approximately 69% per quarter. In Q2 of 2018 alone, 30% of our commercial insurance shoppers purchased cyber coverage, up from 12% a year ago. First-time cyber insurance shoppers are also on the rise among SMBs, having experienced a quarterly growth of 34% over the last year.

Key Factors Contributing to Cyber Insurance Growth

There are a variety of reasons for SMBs’ increasing enthusiasm for cyber insurance, such as a rise in SMB-targeted cyberattacks and widespread, difficult-to-detect network vulnerabilities. However, after analyzing our digital proprietary data collected from Q1 2017 to Q3 2018, we found the following three factors equally critical in driving SMB cyber insurance adoption:

1. Compliance Requirements

Compliance requirements such as HIPAA, PCI and DCI have contributed significantly to the growth of the SMB cyber insurance marketplace. Recent data privacy regulation rulings such as GDPR and the California Consumer Privacy Act may also be pushing adoption, as the percentage of our shoppers who stated compliance requirements as a motivating factor increased 39% quarter-over-quarter.

2. Contractual Components

In the past, mandating cyber insurance for SMBs was difficult, due to the lack of affordability and accessibility. Today, digital-first insurance providers have drastically reduced distribution costs, allowing organizations to enforce cyber insurance as an essential component of third-party vendor contracts. According to our data, nearly half (46%) of SMBs buying cyber insurance are purchasing due to contractual requirements.

3. Affordable Policies

The price of SMB cyber insurance has declined substantially over the past year, primarily due to carriers’ ability to provide tailored policies designed to meet SMB-specific needs. In April 2017, our data shows the average monthly premium cost for a $1 million cyber insurance policy was $270. By June 2018, however, the average monthly premium cost for a $1 million cyber insurance policy dropped to just $77.

The Future of Cyber Insurance Adoption

Compounding factors will continue to drive the SMB cyber insurance market. From a business perspective, state and federal regulations will likely make cyber insurance a mainstream business priority, and enterprise-level contractual requirements will make cyber insurance a must-have for third-party vendors. On the consumer side, customers will continue to take an increasingly active role in their personal cybersecurity, demanding SMBs effectively secure their personal data through security solutions, including cyber insurance.

See also: How to Create Resilient Cybersecurity Model  

Though our data is still maturing, the steady increase in SMB shopper awareness and overall market readiness indicate that 2018 serves as an inflection point for the mainstream adoption of cyber insurance. Furthermore, with the SMB population in the U.S. expected to exceed 34 million by 2025, cyber insurance will be an essential factor in securing our collective digital world, and we can expect any business with assets to secure, and long-term viability to protect, to make cyber insurance a critical element of their comprehensive cybersecurity plan.

Avoiding Data Breaches in Healthcare

While the largest number of data breaches occur at healthcare providers’ sites, such as hospitals and physician offices, healthcare plans account for the greatest number of health plan member records stolen over the past seven years, according to a study published in JAMA.

This is attributable to extremely large breaches of electronic systems. While these centralized databases offer a wealth of health records that can be used to improve healthcare, it’s important to balance the risks of being hacked against the benefits.

These breaches represent one area where health plan organizations must focus their attention to overcome an increasingly complex regulatory and risk management environment. A fully equipped health information management platform has become a vital requirement for health plan organizations seeking to improve care, member outcomes and ROI.

Balancing Risks of Data-Sharing

While better policies and procedures and the use of encryption have helped reduce easily preventable breaches, more must be done to protect member privacy and mitigate associated costs.

Health data breaches cost the U.S. healthcare industry an estimated $6.2 billion, and 70% of businesses that have experienced ransomware attacks in their workplace have paid to have stolen data returned.

Attackers have learned how to monetize healthcare data, with the number of attack points continuing to rise with the use of mobile medical- and health-related apps and with electronic health records (EHR) become increasingly embedded in clinical settings.

Given all this, health plans should seek a technology-enabled platform that optimizes operational viability, helps to improve member outcomes at reduced costs and ensures data security and privacy. The first step is to look for a vendor that has earned Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) certification.

See also: VPNs: How to Prevent a Data Breach  

Understanding HITRUST Benefits

As healthcare data shifts from local infrastructure to the cloud, the ability to control and secure data weakens, creating substantial challenges for health plans and hospitals that need to assess third-party vendors and ensure that data complies with HIPAA and other regulations.

HITRUST sprang from the belief that information security should be the core of the broad adoption of health information systems and exchanges.

HITRUST CSF certification can be used by all organizations to guide them in selecting and implementing the appropriate controls to protect the systems that create, access, store or exchange personal health and financial information. Certification gives organizations detail and clarity related to information security controls tailored to the healthcare industry.

Certification also carries two key advantages: First, it’s designed to examine regulations. During the certification process, an independent assessor uses the HITRUST framework and then submits work papers to HITRUST for scoring and quality assurance. This ensures providers a level of consistency from one assessment to another.

Second, HITRUST performs a gap analysis, which providers can request to help them further assess a vendor’s security posture, which saves substantial resources.

HITRUST CSF certification also includes these benefits:

  1. Cross references the requirements from legislative, regulatory, HIPAA, NIST, ISO, state laws and others for one comprehensive framework
  2. Provides a framework that prepares organizations for new regulations and security risks once introduced
  3. Ensures compliance and security protection to clients
  4. Assures payers working with vendors that the platform is compliant, private and secure and meets the necessary requirements of HITRUST CSF certification
  5. Means a third-party assessed the platform and attests to its compliance with globally recognized standards, regulations and business requirements, ensuring data security, privacy and compliance

Full-spectrum, end-to-end Platform

Health plans should look for an integrated risk-adjustment optimization and quality improvement platform that has HITRUST CSF certification as validation of a commitment to improving the health of healthcare and providing innovative solutions for health plans across the country.

They should offer a platform that provides health plans and provider groups with a comprehensive risk adjustment solution that plays an integral role in helping health plans and risk-bearing entities improve measured quality.

HITRUST CSF provides a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Leveraging nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA and COBIT to ensure a comprehensive set of baseline security controls, HITRUST CFS normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance.

HITRUST CSF, the most widely adopted security framework in the U.S. healthcare industry, continues to improve and update its framework ensuring that organizations are prepared when new regulations and security risks are introduced.

See also: Unclaimed Funds Can Lead to Data Breaches  

Furthermore, the certified solution should combine risk adjustment and quality improvement services and provide real-time visibility and reporting for risk adjustment analytics, medical record retrieval, HEDIS abstraction, risk adjustment coding, claims and data validation, prospective health assessments, clinical abstraction, member engagement/outreach and provider education. It should also be designed to integrate risk adjustment and quality services to deliver fully transparent insights.

Success in value-based approaches pivots around delivering on total member health, cost and quality rather than relying on the traditional model of maximizing relative value units, revenue and downstream referrals.

The right full-spectrum, end-to-end approach to care empowers health plans and providers to identify gaps in care and manage plan members more productively. Consequently, plan members reap the greatest benefit by being guided toward more preventive care and self-management early in the care process and their information and privacy remain protected.

Best Practices for Cyber Threats

All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.

Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do to protect information stored electronically.

That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.

See also: How to Anticipate Cyber Surprises  

I recently sat down with Edric Wyatt, security analyst at CyberScout, to discuss the first step any organization — of any size and in any sector — can take to increase its security maturity. His answer: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

Here are a few takeaways from our discussion:

NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.

NIST is aggressive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective steps to improve any organization’s digital security posture. Implementation materials are available at no cost to organizations of all types and sizes, small- and medium-sized companies, educational institutions and state and local government agencies.

NIST is flexible. At the end of the day, the NIST series guides organizations to shaping security policies and security controls that are flexible, adaptable — and effective. One vital component is senior management buy-in. New policies can and should be implemented and tweaked in a methodical, measurable manner and should be championed by senior leaders. The goal should not be just tightening security, Wyatt says, but also making one’s organization more reliably productive. A continual feedback loop can help keep controls alive and vital, Wyatt says.

See also: Cyber Challenges Under NIST’s Framework  

This article originally appeared on ThirdCertainty.

Healthcare Firms on Hit List for Fines

When the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, the internet was an infant. Physicians walked around with paper charts. A “tablet” referred to a pill. And the typical cyber attack aimed to simply deface a website.

But with the evolution of the electronic age, the majority of the nearly 1.2 billion annual medical visits in the U.S. are documented, stored and shared in electronic form.

And the threat landscape has been evolving, as well.

“Now that (the records) are online and connected across multiple providers and exchanges, there will be more breaches if nothing else is done (for security),” says Kurt Roemer, chief security strategist for Citrix, which provides security tools.

See also: Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices

In response, federal authorities have stepped up enforcement actions against healthcare organizations that violate patient privacy rules under HIPAA. As a result, the number of sanctions has reached record levels.

In August, Advocate Health Care Network agreed to pay a record $5.6 million HIPAA settlement for a series of 2013 data breaches affecting 4 million patients.

The fines levied by the Department of Health and Human Services’ Office of Civil Rights (OCR) in 2016 surpassed any previous year since HIPAA became law.

Settlements send a message

And the fines levied by OCR in 2016 were hefty, averaging just over $2 million per sanction. This stepped-up enforcement is no doubt sending a message to healthcare providers.

“There’s a clear upward trend,” says Matt Mellen, security architect for health care with Palo Alto Networks, which provides a next-generation cybersecurity platform. This “is definitely enough to get the attention of healthcare organizations.”

The trend also is reflected in the number of incidents reported by HIPAA-covered entities. OCR’s database, which only includes incidents that affect 500 or more individuals, shows a steady growth each year.

In 2010, 198 incidents were reported to OCR, compared with 296 in 2014 and 269 in 2015. This trend has been documented in various cybersecurity reports, including IBM’s 2016 Cybersecurity Intelligence Index, which put healthcare at the top of all other industries for the number of data breaches.

And according to Ponemon’s recent “State of Cybersecurity in Healthcare Organizations in 2016,” nearly half of the 535 respondents said their healthcare organizations experienced an incident in the past 12 months involving loss or exposure of patient data.

The sector is clearly struggling to keep up with the threats, but the problem is not the law itself, says Niam Yaraghi, a fellow at the Center for Technology Innovation at the nonprofit Brookings Institution.

Sinking teeth into the law

“HIPAA is a fairly good law,” he says. “The problem is that healthcare organizations consider (HIPAA) as the ultimate level of security that they have to implement, and they do not have any incentive to go beyond HIPAA.”

Jodi Daniel, who worked for the Department of Health and Human Services for 15 years and was one of the key draft writers of HIPAA’s Privacy Rule and Enforcement Rule, says, “When the rules first came out … the focus of enforcement was on education and promoting voluntary compliance.” The goal was to help the industry “get it right, as opposed to penalizing them for getting them wrong.”

The first OCR settlement — $100,000 — didn’t come until 2008. And over the next three years, there were only a total of six. The pace picked up in 2012, as has the average amount of the settlements.

See also: Will You Be the Broker of the Future?  

What happened in the meantime was the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act. The HITECH Act dramatically expanded the penalties, based on “increasing levels of culpability,” and increased the maximum to $1.5 million instead of $25,000 per identical violation. It also extended HIPAA to business associates.

The addition of business associates was significant, considering a large number of breaches are attributed to third-party incidents.

Risk management more important

The increased OCR enforcement also is putting an emphasis on risk management. Of the 39 settlements to date, at least 14 included lack of risk assessments among the violations.

Palo Alto’s Mellen says OCR’s emphasis on risk management is a positive trend.

“The risk management process is designed to identify all the potential threats to patient data and allows you to define action plans to mitigate those risks,” he says.

Cyber attacks, in particular, pose a bigger threat to patient privacy than other types of breaches. Yaraghi’s report shows that nearly 120 million people were affected by about 150 incidents involving cyber attacks versus a little more than 20 million people affected by about 700 incidents involving theft (laptops, media, etc.).

And the number of hacking/IT incidents is seeing a dramatic increase. Those reported to OCR between 2010 and 2014 grew from nine to 32. In 2015, there were 57.

Yaraghi is a proponent of a third-party HIPAA certification system to serve as a preventative measure. But a true economic incentive, he believes, would be cybersecurity insurance. He recommends every healthcare organization have a policy.

“Healthcare organizations will have to take security into account to reduce the cost of premiums,” he says.

See also: Can InsurTech Make Miracles in Health?  

In the meantime, the increased OCR enforcement could create a stronger incentive for healthcare organizations to step up cybersecurity. It will also get the attention of boards of directors, Citrix’s Roemer says.

“It would make it more difficult for the health care institutions and their boards to casually say they aren’t going to invest in security,” Roemer says. “It will definitely drive some changes in behavior.”

More stories related to HIPAA and health records:
Hospital hacks show HIPAA might be dangerous to our health
Encrypting medical records is vital for patient security
Healthcare data at risk: Internet of Things facilitates healthcare data breaches

This article originally appeared on Third Certainty. It was written by Rodika Tollefson.

Hard Lessons on Protecting Health Data

The $2.5 million payment and corrective action plan that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) required for CardioNet to settle potential charges of noncompliance with the Health Insurance and Portability Act (HIPAA) Privacy and Security Rules contains many important lessons for other healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates.

A remote cardiac monitoring provider, CardioNet is paying the $2.5 million settlement payment and implementing a corrective action plan to settle potential OCR charges it violated HIPAA by impermissible disclosure of unsecured electronic protected health information (ePHI).

The first OCR HIPAA settlement involving a wireless health services provider, the CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) announced by OCR on April 24, 2017, adds to the rapidly growing list of announced OCR HIPAA enforcement actions that clearly show all covered entities and their business associates the substantial enforcement liability risks of failing to finalize and actually adopt, implement, administer and maintain the necessary HIPAA Privacy and Security policies and procedures required by HIPAA as well as some of the steps OCR expects to fulfill these requirements.

CardioNet OCR Investigation and Resolution Agreement

As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On Jan. 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals.

The facts outlined in the resolution agreement highlight compliance weaknesses existing in the operations of many HIPAA covered entities and business associates. According to the resolution agreement, OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

  • CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
  • CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
  • CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
  • CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
  • CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

See also: Healthcare Buyers Need Clearer Choices

To resolve these OCR charges, CardioNet agrees to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

  • Prepare a current, comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that risk analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
  • Assess whether its existing security measures are sufficient to protect its ePHI and revise its risk management plan, policies and procedures and training materials and implement additional security measures, as needed.
  • Develop and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis as required by the risk management plan.
  • Review and, to the extent necessary, revise, its current security rule policies and procedures based on the findings of the risk analysis and the implementation of the risk management plan to comply with the HIPAA Security Rule.
  • Provide certification to OCR that all laptops, flashdrives, SD cards and other portable media devices are encrypted, together with a description of the encryption methods used.
  • Review and revise its HIPAA security training to include a focus on security, encryption and handling of mobile devices and out-of-office transmissions and other policies and practices required to address the issues identified in the risk assessment and otherwise comply with the risk management plan and HIPAA train its workforce on these policies and practices.
  • Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
  • Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that the information is accurate and truthful.
  • Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications of CardioNet and Other HIPAA Enforcement For Covered Entities and Business Associates

The CardioNet resolution agreement contains numerous lessons for other covered entities and their business associates, including:

  • Like many previous resolution agreements announced by OCR, the resolution agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process OCR expects all laptop computers and other mobile devices containing or with access to ePHI will be properly encrypted and secured.
  • It also reminds covered entities and their business associates to be prepared for, and expect an audit from, OCR when OCR receives a report that the organization experienced a large breach of unsecured ePHI.
  • The resolution agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects that OCR expects covered entities to actually finalize policies, procedures and training for maintaining compliance with HIPAA.
  • The discussion and requirements in the corrective action plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
  • The requirement in the resolution agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
  • Finally, the $2.5 million settlement payment required by the resolution agreement and its implementation against CardiNet makes clear that OCR remains serious about HIPAA enforcement.

While the $2.5 million settlement payment sends a strong message about the risks of violating HIPAA by itself, this lesson takes on even greater significance when considered in light of OCR’s January 2017 announcement of its imposition of another HIPAA civil monetary penalty against Children’s Medical Center of Dallas and the growing list of expensive settlement payments that OCR has exacted from other covered entities wishing to avoid CMPs for their alleged HIPAA violations.

In January 2017, for instance, OCR announced Children’s paid a $3.2 million CMP assessed by OCR for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies that resulted from its failure to take appropriate, well-documented actions to timely to secure ePHI on systems and mobile devices and other actions needed to comply with other HIPAA privacy or security requirements.

Of course, covered entities and business associates need to keep in mind that that actions and inactions that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.

See also: Healthcare Disruption: Providers Are Making Newspaper Industry Mistakes  

Beyond, and regardless of the technical legal defensibility of its actions under these and other laws, however, the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

  • The intangible, but critical loss of trust and reputation that covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
  • The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.

As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breach or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.