In recent years, Protected Health Information (PHI) breach prevention has become the watchword. However, with security threats like ransomware—and the recent electronic medical record (EMR) system hijackings in Texas, California and Maryland—it’s time to start thinking about what happens when prevention fails.
It is critical to have an appropriately timed and coordinated response in the wake of a breach. Having a response team in place, and meeting with them regularly, is the first step in breach management. Key members of the team include legal counsel, a privacy officer, IT personnel, a public relations liaison and a human resources representative. Also be sure to nominate a manager or incident team leader as part of the plan of action (POA) to avoid scrambling in the face of a breach.
We explored response management further in a special session of AHIMA’s Virtual Privacy and Security Academy, the first in an MRO-sponsored three-part series continuing throughout the year.
The following is a quick overview of some of the topics we discussed.
The first 24 hours are the most important
The first 24 hours after a breach are critical. It’s imperative to have an accurate and up-to-date call list to alert and activate key members of your organization, and to follow established response protocols.
If PHI is still at immediate breach risk, your first priority is to prevent any further incidents. As a next step, it’s important to gather as much information on the breach as possible, such as: what information got out, where did the information go, and who captured it. Notify business associates of the breach, inform local law enforcement, if necessary, and notify any other important parties, such as board members.
Communications team should help with notification
If a breach affects more than 500 patients, federal law states that public notification is required within 60 days. This can become especially tricky if you have patients in multiple states because 47 states have unique reporting laws, which are often more stringent than federal requirements. It is always best to follow the strictest approach.
Your public relations team will play an important role with patient notification. They must craft a uniform, comforting response that assures patients that authorities are investigating the issue, that identity theft protection services are freely available, and that they will continue to communicate updates.
If you’d like to attend AHIMA’s Virtual Privacy and Security Academy led by MRO’s own experts, there is a session on HIPAA Compliance for Business Associates in August, and on Business Associate and Subcontractor Management in November. MRO will happily take 15 percent off AHIMA member pricing to clients and friends who register for one or both of the Virtual Privacy and Security Academy sessions. Scroll down and complete the form below to learn more and to receive our discount promo codes. We hope to see you there.