Data breaches are expensive – and fines are on the rise. As enforcement of data privacy laws increases, organizations need to be extra careful when storing patient information. Health-care organizations are responsible for taking appropriate action to secure patient information and remain compliant with established rules for notifying patients if a breach occurs. Every organization needs to make data privacy a top priority. There are steps organizations can take right now to prevent breaches and lower risks, but there are also actions that must be taken in the event of a privacy breach.
Doug Pollack from ID Experts has compiled a list of 12 steps an organization can take pre and post-breach to help out in the case of a privacy breach investigation. The 12 tips documented in Pollack’s blog post “12 Steps for Surviving an HHS/OCR Privacy Breach Investigation,” are broken down as follows and can likely be applied to protecting all types of data:
FREE Investigation Report Template
Prepare thorough, consistent investigation reports with our free report template.Download Template
- Assign Privacy & Security Responsibility: ensure accountability for patient privacy with a specifically designated privacy official in your organization.
- Annual Risk Analysis: carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.
- Address security vulnerabilities: implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment
- Workforce privacy awareness: train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement
- Policy and procedure completeness: develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI
- Prepare for privacy incidents: develop procedures and tools for compliant investigation, analysis and review
- Incident reporting: capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred
- Analysis of incident: develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities
- Patient notification: develop and document your notification to individuals/patients affected by the data breach, including all means used to ensure delivery of the notification
- Mitigate harm to affected individuals: describe decisions/actions taken to mitigate the harm to individuals/patients affected by the breach
- Notifications to regulators and media: develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media
- Determine root cause and corrective actions: determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions
In a time where major privacy breaches seem to be occurring on a daily basis, it’s important that companies of all sizes, across all industries, take these steps into consideration to reduce the risk of a privacy breach. Whether hackers are after company, employee, patient, client or other information, they need to be prevented from getting their hands on it.