2016 HIPAA Audits Part 7: 5 Steps to Take After Experiencing a HIPAA Data Breach
by Donna Koger, 6.13.16
It’s essential to take the steps necessary to prepare against a data breach, but after one does occur, knowing how to respond can make all the difference.
1. Widen your response team
Your incident response group may have been doing the initial investigation as a small team, but now you have a breach and you may have to include a broader set of people in the organization. Those people could include internal resources, but also outside resources who can help begin the process of notifications and assessing who needs to be notified and how.
2. Determine who to notify and how
Another component of the overall response plan is to determine who needs to be notified and how to go about doing it. There may have been population data sets whose records have been compromised and they may not have been homogeneous.
For example, some patients can be minors and others deceased. There are special considerations you have to take when it comes to healthcare, such as how employees will be expected to deal with patients when explaining the situation to them.
3. Keep the patient population in mind
When thinking about your different patient populations, it’s important to consider different means of communication. For example, if the patient is a minor, it doesn’t make sense to offer them credit monitoring. A text message alert may be more appropriate, whereas an elderly patient would prefer a letter in the mail.
The scenario will depend on the profile of your patients. When it comes to younger patients, social media may also be a viable option, but be very careful here - it makes such a viral impact, you don’t want to send out the wrong information.
4. Know your state and federal laws
There are federal or state agencies that expect notification or reporting once a breach occurs. Depending on the number of days since you've been compromised, you must notify HHS Office for Civil Rights (OCR).
Also keep in mind that each state has its own set of requirements and sometimes those agencies want to see an example of your individual notifications. For example, you may have to make sure they approve of what you’re telling patients, or they may require you to report the breach to a credit tracking system, so it can vary.
5. Ensure everything is well documented
Based on the profile of your institution, you could get a knock on the door from HHS or OCR or your state agency, so you need to have all your ducks in a row. Make sure their requirements don’t result in additional demands on your compliance structure and operations.
If you use outside services and vendors (business associates), make sure they’re using additional documentation that can support your activity when the incident occurs.
Find more complimentary content in our HIPAA Resource Center.
Part 1: What's on the Horizon?
Part 2: Into the Breach
Part 3: PHI Identifiers
Part 4: 10 Steps to Compliance
Part 5: Where's Your PHI Data?
Part 6: HIPAA Crash
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.