Check Request Status610-994-7500

Privacy and security series part 2: Best practices in breach management

In recent years, Protected Health Information (PHI) breach prevention has become the watchword. However, with security threats like ransomware—and the recent electronic medical record (EMR) system hijackings in Texas, California and Maryland—it’s time to start thinking about what happens when prevention fails.

It is critical to have an appropriately timed and coordinated response in the wake of a breach. Having a response team in place, and meeting with them regularly, is the first step in breach management. Key members of the team include legal counsel, a privacy officer, IT personnel, a public relations liaison and a human resources representative. Also be sure to nominate a manager or incident team leader as part of the plan of action (POA) to avoid scrambling in the face of a breach.

We explored response management further in a special session of AHIMA’s Virtual Privacy and Security Academy, the first in an MRO-sponsored three-part series continuing throughout the year.

The following is a quick overview of some of the topics we discussed.

The first 24 hours are the most important

The first 24 hours after a breach are critical. It’s imperative to have an accurate and up-to-date call list to alert and activate key members of your organization, and to follow established response protocols.

If PHI is still at immediate breach risk, your first priority is to prevent any further incidents. As a next step, it’s important to gather as much information on the breach as possible, such as: what information got out, where did the information go, and who captured it. Notify business associates of the breach, inform local law enforcement, if necessary, and notify any other important parties, such as board members.

Communications team should help with notification

If a breach affects more than 500 patients, federal law states that public notification is required within 60 days. This can become especially tricky if you have patients in multiple states because 47 states have unique reporting laws, which are often more stringent than federal requirements. It is always best to follow the strictest approach.

Your public relations team will play an important role with patient notification. They must craft a uniform, comforting response that assures patients that authorities are investigating the issue, that identity theft protection services are freely available, and that they will continue to communicate updates.

If you’d like to attend AHIMA’s Virtual Privacy and Security Academy led by MRO’s own experts, there is a session on HIPAA Compliance for Business Associates in August, and on Business Associate and Subcontractor Management in November. MRO will happily take 15 percent off AHIMA member pricing to clients and friends who register for one or both of the Virtual Privacy and Security Academy sessions. Scroll down and complete the form below to learn more and to receive our discount promo codes. We hope to see you there.

Receive a 15% discount

To receive MRO’s promo codes to receive a 15% discount off your Virtual Privacy and Security Academy registration, please complete the form.

Read More

Privacy and security series, part 1: OCR protocols for phase 2 HIPAA audits

Audit photo for OCR audit blog

On March 21, 2016, the Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Jocelyn Samuels, announced the launch of Phase 2 of its HIPAA compliance audit program for covered entities and business associates. Expanding upon Phase 1 audits conducted in 2012, Phase 2 audits will use newly released audit protocols.

What to expect
Starting this month with limited-scope desk audits until July and on-site full compliance audits later in 2016, Phase 2 of the HIPAA audit program is now in effect. Additional details on what to expect from the audits are outlined in our previous Phase 2 audits blog post, which can be accessed here . In this post, we’ll take a look at the recently announced audit protocols that were not yet released during our last post, and how your organization can ensure it’s prepared.

The new audit protocols are more specific than the previous audit protocols, addressing documentation requirements more comprehensively than the 2012 version. In total, there are 169 audit protocols: 78 for security, 81 for privacy and 10 for breach notification. Approximately one-third of the protocols ask for documentation, which will need to be submitted electronically to the OCR’s new secure online portal. With regard to privacy, the major areas are 1) uses and disclosures, 2) minimum necessary standard, 3) patient rights, 4) notice of privacy practices, 5) business associates and 6) administrative requirements.

How to prepare your organization
The best way to get ready for these compliance audits is to prepare the workforce and assemble an audit team that can communicate effectively with senior management and champion compliance activities. Here’s how to get started:

  • Educate the team: Present information on the audit protocols and inquires, reviewing how and where your organization’s relevant documentation can be accessed for potential audit requests.
  • Conduct internal audits: After the review, a mock audit team could be assembled to simulate complying with some or all of the Phase 2 audit protocols.
  • Address potential gaps: The mock audit should help identify areas where policies and procedures may be lacking or insufficiently documented. Those corrections should be completed before the Phase 2 desk audits begin.

Although the OCR released the protocols prior to soliciting input, they invite the public to submit feedback by emailing

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.


Read More

Disclosure Management in a Risky World

For the Record
Disclosure Management in a Risky World
MRO’s Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, HIM Policy and Education, and Sara Goldstein, Esq., General Counsel, along with other industry experts, discuss the risky world of PHI disclosure management and how to develop a proactive plan to be prepared for breach events.

Read More