Data Privacy Best Practices: What to Do and When to Do It

Data breaches are expensive – and fines are on the rise. As enforcement of data privacy laws increases, organizations need to be extra careful when storing patient information.

Posted by Joe Gerard in Corporate Security, Information Security on June 20th, 2011

Data breaches are expensive – and fines are on the rise. As enforcement of data privacy laws increases, organizations need to be extra careful when storing patient information. Health-care organizations are responsible for taking appropriate action to secure patient information and remain compliant with established rules for notifying patients if a breach occurs. Every organization needs to make data privacy a top priority. There are steps organizations can take right now to prevent breaches and lower risks, but there are also actions that must be taken in the event of a privacy breach.

Privacy Protection

Doug Pollack from ID Experts has compiled a list of 12 steps an organization can take pre and post-breach to help out in the case of a privacy breach investigation. The 12 tips documented in Pollack’s blog post “12 Steps for Surviving an HHS/OCR Privacy Breach Investigation,” are broken down as follows and can likely be applied to protecting all types of data:

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Pre-breach (1-6):

  1. Assign Privacy & Security Responsibility: ensure accountability for patient privacy with a specifically designated privacy official in your organization.
  2. Annual Risk Analysis: carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.
  3. Address security vulnerabilities: implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment
  4. Workforce privacy awareness: train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement
  5. Policy and procedure completeness: develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI
  6. Prepare for privacy incidents: develop procedures and tools for compliant investigation, analysis and review

Post-breach (7-12):

  1. Incident reporting: capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred
  2. Analysis of incident: develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities
  3. Patient notification: develop and document your notification to individuals/patients affected by the data breach, including all means used to ensure delivery of the notification
  4. Mitigate harm to affected individuals: describe decisions/actions taken to mitigate the harm to individuals/patients affected by the breach
  5. Notifications to regulators and media: develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media
  6. Determine root cause and corrective actions: determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions

In a time where major privacy breaches seem to be occurring on a daily basis, it’s important that companies of all sizes, across all industries, take these steps into consideration to reduce the risk of a privacy breach. Whether hackers are after company, employee, patient, client or other information, they need to be prevented from getting their hands on it.

Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website

Related Resources