Home Health & Hospice Week

HIPAA breaches may be inevitable, so you need to be ready.

Unless you feel prepared to incur big costs related to HIPAA data breaches, you’d better make sure you are prepared.

Risk analysis and management usually include the construction of a comprehensive incident response plan, which includes the steps to follow in case of a data breach. “Being prepared on an organizational level can mitigate the risk of both extensive data loss and negative press,” says attorney Diana Maier in San Francisco.

“Before a breach takes place, a response team should be formed with key personnel, such as executives and privacy, legal, IT, and public relations staff,” Maier advises. “This team should inform the organization on the protocol to expect following a breach. When a breach does happen, the team should be responsible for implementing the response plan.”

Also, keep in mind that you may need to have more than one plan, depending on the kind of data involved in the incident, Maier notes.

Device management: Heed some key advice from IBM and the Ponemon Institute in a recent collaborative study, “The 2018 Cost of a Data Breach: Global Overview” — encrypting devices. Penalties are avoidable with strong encryption, maintains attorney John E. Morrone with Frier Levitt Attorneys at Law in New York City. For instance, “merely losing an unencrypted device constitutes a data breach under HIPAA, so encryption is truly the best method to avoid a HIPAA breach.”

A security incident is bad enough, and you need to know when not to panic versus when you need to launch a response. But if you drop the ball on your duties following a data breach, the risks for bad press and costly penalties are higher than ever before. Make sure you have a solid incident response plan in place to make a bad situation much more bearable.