Pediatric Coding Alert

Patient Privacy:

3 Essential Steps to Take After A HIPAA Breach

Know the ropes, no matter how big or small the breach was.

Your pediatric practice may not be dealing with huge networks of computers, but it’s likely that you’ve sent an email to the wrong address, submitted a fax including sensitive patient information, or left a computer screen up in front of a patient that had another patient’s file on it. And if you’ve breached the HIPAA law in any of these ways or by other means, you need to know what to do.

With the increase in data breach incidents — as well as the rise in HIPAA breach penalties — it’s more important than ever to develop a thorough incident response plan. Here’s what you need to do right now to protect your agency from a devastating fallout from a mishandled breach response.

Form An Incident Response Team

Payoff: “Being prepared on an organizational level can mitigate the risk of both extensive data loss and negative press,” says Diana Maier, an employment and privacy law attorney of the Law Offices of Diana Maier based in San Francisco.

“Before a breach takes place, a response team should be formed with key personnel, such as executives and privacy, legal, IT, and public relations staff,” Maier advises. “This team should inform the organization on the protocol to expect following a breach. When a breach does happen, the team should be responsible for implementing the response plan.”

Also, keep in mind that you may need to have more than one plan, depending on the kind of data involved in the incident, Maier notes.

Follow 3 Steps to Address Security Incidents

There are three phases of security incident management, which you should carry out in succession as needed, according to Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems based in Charlotte, Vt. The three major phases are:

1. Assess the security incident. First, you need to assess the incident to determine what happened and what you need to do to avoid the problem in the future, Sheldon-Dean says. “Part of this assessment includes a determination of whether or not the incident includes information that may qualify the incident as a reportable breach under state or federal laws.”

This decision will help you to determine your next steps. If the information is not covered under breach notification laws, you would document the incident and consider it at a future periodic incident review meeting, Sheldon-Dean advises.

2. Evaluate potentially reportable breaches. But if the information is covered under breach notification laws, then you need to review the incident, Sheldon-Dean says. In this second phase, review the incident in the context of the applicable breach notification laws to determine if the breach is reportable under those laws.

3. Report the breach as necessary. If you determine that the incident is a reportable breach, this would trigger the reporting process, according to Sheldon-Dean. You would then need to report (and document your reporting) to the affected individuals, the Department of Health & Human Services, the press, and various state agencies as the law requires.

The basics: According to Maier, your incident response plan should vary depending on the kinds of data involved — but all plans should include the following steps after discovering a breach:

  • Secure the area or network involved in the cause of the breach;
  • Ensure the breach has stopped or stop it;
  • Preserve evidence (for example, secure the metadata) and document all aspects of the incident;
  • Notify those whose information has been breached and, as necessary, the media and any relevant authorities like the HHS Office for Civil Rights; and
  • Work with forensics firms, law enforcement, OCR, etc., as needed.