If your healthcare facility were to have a data breach tomorrow, how would you go about notifying affected individuals? More importantly, how would you do it in a way that satisfies the HITECH requirements?

The answer isn’t easy. Even without HITECH, notification and subsequent response can take an alarming toll on the finances and resources of an organization.

 A classic example is the testimony of James Davis, CIO at the University of California, to the Senate Subcommittee on Terrorism and Homeland Security in 2007. Davis offers, in painstaking detail, the logistics surrounding call center operations for a large data breach. According to Davis, once the institution had an idea of how many calls to expect, “making arrangements to outsource call center operations was not just on the critical path to notification, but became the critical path: we had never had to do this before, and finding a suitable call center vendor and completing a contract on an expedited basis became mission critical.”

Once individual letters go out, the ability to quickly and accurately respond is mission critical, no question. That ability is only magnified when the organization must provide substitute notification either through their website or a major media outlet, complete with a toll-free telephone number as required by HITECH [§ 164.404(d)(2)(ii)]. The expectation here is that the call center will experience higher volumes than they would with individual notifications, because concerned former patients or customers will call whether their information was included or not.

Which means at the outset of notification, the organization must answer some very tough questions – what percentage of individuals reached by the notification will actually call? How will the call center designate between affected and non-affected individuals? How big will the call center staff need to be? Will they be trained to handle identity theft or fraud related issues?

Davis also noted in his testimony that not only was response more than their original estimates, but a full third of all calls came in the first couple of days, “likely due to email notices and media outreach,” so ability to scale is crucial, too.

The bottom line: this is about more than just compliance with a federal regulation. When a breach occurs, customers expect information provided in a timely manner and they expect someone to be there to answer their questions and, hopefully, provide solutions. Is your organization up to the task?

Click here to view our video  showing how Kroll’s HITECH Hotline can help meet breach notification requirements.

by Brian Lapidus
COO, Kroll Fraud Solutions

Tags: call center, federal laws, healthcare legislation, HITECH

Categories: Data Breach, Data Security Issues, Data Security Planning, HITECH.