Going through the motions to prevent patient identity theft isn't good enough. Be sure to ask -- and answer -- these followup questions in the event of potential ID theft, recommends • How do we control a breach? • How do we determine what happened and what information was subject to the improper use? • How do we mitigate the breach (including recovering lost data for internal purposes)? • What do we need to do to ensure this doesn't happen again? • Do we have to notify anyone? • If so, who must we notify and through what means? • If we don't "have to" notify, should we notify anyway? • Is there anyone else we need to notify (clients, regulators, etc.)?