Many of you have received notice from Trizetto regarding a breach at their corporate level. While these breaches of patient information are unfortunate, cybercriminals are crafty and viciously attacking all aspects of healthcare. Trizetto has taken all the appropriate and mandated steps required by HIPAA. We have analyzed the situation and propose the following for our clients.
Why does this involve me?
Covered entities, YOU, are ultimately responsible for taking the steps to protect our patients’ privacy. The fact that Trizetto was the source of the breach does not change that responsibility. This is why HIPAA requires business associate agreements between you and business partners, such as clearinghouses.
What exactly happened?
All the details of the breach are included in the communication you received from Trizetto, including a resource that shows exactly which patients were involved. They were very transparent. Everything needed for you to take the appropriate response steps are included in their communication. THERE IS NO IMMEDIATE URGENCY IN THESE STEPS, except the one
What are those appropriate steps?
The mandated response to a breach is actually the responsibility of the covered entity – you. These include:
- Determining if this breach is a “reportable breach” – meaning reportable to the Office of Civil Rights. This is a complex decision tree that can involve both Federal and State law. Reportable breaches require complex and extensive response steps. For most clients, this will not be a reportable breach – but do not assume this! This is YOUR responsibility no matter what action Trizetto takes. You may need to discuss this determination with PPP. Before you call, we will be sending out additional information soon regarding the likelihood that this is a reportable breach for you individually.
- If not a reportable breach, you still have work to do. This may include any or all of the following.
-
- Ensure you have a current business associate agreement with ALL your business associates. If you do not have a current agreement with Trizetto, your liability risks increase significantly.
- Letting the patient know what happened and what you are doing about it
- Offering identity theft protection services to the patient
- Offering credit monitoring services to the patient
- Documenting the event in your security risk assessment
- As these breaches commonly result in individual patient complaints to HIPAA, make sure all your compliance policies are current and all staff have current, documented training.
The good news is Trizetto is offering to complete many of these additional steps for you – at their expense (steps 2.2, 2.3 and 2.4). You have the choice to allow them to complete those action items for you. In general, this is a good choice for you but if you have any concerns you should contact PPP or a HIPAA-credentialed attorney.
YOU must complete steps 2.1, 2.5 AND 2.6. This includes a summary of what happened and what you are doing to respond to the breach, mitigate the risk, and what steps you will be taking to limit future breaches. In a week or two, PPP clients will receive recommended language that you can customize to your PPP compliance dashboard.
If you have any specific concerns or questions, please reach out to us. We are here to help.