Part 7 of 7
Security Incident Management: A patient’s information has been compromised. Now what? Is your staff confident that they know how to handle this breach? An organization never wants to wait until they are in a breach to know what needs to be done. Here are twelve steps for handling a security breach:
1. Contact a HIPAA Consultant and/or a HIPAA Attorney.
2. If over 500 records have been compromised, provide notice to prominent media serving your state or jurisdiction by the deadline.
3. Notify the patients affected by individual notice by the deadline. Apologize for the breach and indicate that their medical information may have affected.
4. Implement your Employee Sanction Policy and document the breach in the employee’s personnel file.
5. Complete a Security Incidence Report Form with the supporting documents.
6. Review a Data Breach Notification and Mitigation Checklist.
7. Determine if more or less than 10 contacts were invalid and if a Substitute Notice is required, either by posting the notice on the homepage of your website for 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside.
8. If required, provide a toll-free number for 90 days where individuals
can learn if their information was involved in the breach.
9. File a Data Breach Report with the Office for Civil Rights (OCR).
10. Review the breach, mitigate the circumstances, provide education around the breach event, and re-train staff.
11. Review federal and state breach laws for additional steps, especially concerning PII.
12. Follow both federal and state mandated laws, including potentially notifying the Attorney General and/or the three major consumer reporting agencies.
YOUR GOAL IS BREACH PREVENTION
No organization wants to find itself in the position of having to defend a breach. Preventing a breach is ideal and being proactive is necessary. Take these ideas under serious consideration:
• Hire a Managed Service Partner to monitor and manage your IT environment.
• Have regular consultations with a HIPAA knowledgeable attorney.
• Hire a HIPAA Consultant.
• Pay a professional to conduct a Comprehensive Risk Assessment.
• Mitigate the results of a Security Vulnerability Assessment.
• Implement and enforce HIPAA Security Policies/Procedures.
• Get Cyber Insurance and implement a full HIPAA Compliance Program.
• Invest in industry-standard encryption solutions.
• Have an Organizational Policy for addressing and monitoring mobile devices.
• Use Active Directory and Group Policies to enforce User Rights and Security Controls.
• Ensure that medical devices have up-to-date security patches and are malware-free.
• Implement and maintain strong firewalls with subscription services and an Intrusion Detection System (IDS).
• Cultivate a strong, ongoing Security and HIPAA Awareness Program.