Breach Prevention is Critical as HIPAA Compliance Worlds Collide
Responding to the breach
"Installing a program to prevent loss of PHI is like putting an alarm on your house," says Blustein. "It's a good start and it will prevent some thieves, but it doesn't mean you'll never have a problem."
If you discover a breach, alert your attorneys and consider retaining outside counsel. This serves two purposes. It provides an unbiased look at the event and helps protect your organization.
Activate the response teams you previously established, says Blustein. They should be prepared to investigate all aspects of the breach, including:
- How the theft occurred
- Who took the information
- Whether employees were at fault
- The amount of information taken
- The number and identity of affected patients
- The type of information stolen
Soon after making these determinations, decide whom you must notify and how you must do this. You'll need to consider state law, HIPAA, and the HITECH Act, says Blustein. You also must ask yourself what the right thing to do is, he says.
"You need someone in your organization who can make these decisions quickly to avoid the bottleneck problem," says Blustein. "The concern is that often things pile up and it takes too long to get approval and the notification letter ends up sitting on an administrator's desk."
Also consider offering affected individuals free credit monitoring for a specified time to help reduce the effect of the identity theft.
"You want to do everything you can to protect yourself and your patients," says Blustein. "By monitoring credit and notifying the right people, you might be able to cut off the use of their personal information before any damage is done."
Learning your lessons
The nature of the breach will help determine whether you want to amend your existing policies to be better prepared, educate staff members with respect to prevention, or implement more safeguards, says Blustein. Shore up any documentation pertaining to the incident in case there is an investigation, he says.
Even if you don't experience a security incident, monitor businesses and healthcare organizations in your area that may have been affected, advises Mebane.
"You can't just roll out policies and be done with it," says Blustein. "The challenges are always changing, and you need to be able to keep up with them."
Ensuring uniformity throughout your organization is important. "An organization should strive to ensure that your clinic down the street should have the same policies and protection as the computer in your main lobby," says Blustein.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- 12 Hires to Keep Your Hospital Out of Trouble
- Meaningful Use Payment Adjustments Begin
- 'Mega Boards' Could be Rural Healthcare Disruptor
- Ratcheting Up Patient Experience Has a Downside
- HL20: Lee Aase—Who's Behind @MayoClinic
- 1 in 5 Eligible Hospitals Penalized for HACs
- HL20: Sam Foote, MD—The Courage to Speak Up
- HL20: Derek Angus, MD—An Intense Focus on Care
- Taming Time and Moving Healthcare Data
- HL20: Anne Wojcicki—Unlocking Consumer Access to Genetics