Insights from MRO’s Legal Expert: Best Practices for Incident Response Plans
Data breaches cost companies an average of $221 per compromised record. Heavily-regulated industries, like healthcare, tend to have per capita data breach costs substantially higher than the overall mean. In fact, according to an American National Standards Institute (ANSI) survey of institutions who experienced a reported breach, healthcare breaches can cost $8,000 to $300,000, in addition to any U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalty or settlement.
Healthcare data contains a wide range of identifying information, including social security numbers, birthdates and home addresses. This makes health information very valuable, necessitating effective breach prevention and incident response plans. Here are five best practices.
Create a Patient Data Protection Committee
Everyone involved in protecting Protected Health Information (PHI) at a healthcare organization must communicate with each other regularly. Creating a patient data protection committee will facilitate this communication. This committee should conduct some privacy functions for the organization, like overseeing patient privacy and security programs, performing quarterly risk analyses and assessments, and reviewing policies and procedures annually.
Provide On-Going Education and Training
Many breaches are caused by unintentional employee actions during the normal Release of Information (ROI) process. Unfamiliarity with proper policies and procedures for the use and disclosure of health information is frequently to blame. With this in mind, fostering a culture of compliance is key to stopping these breaches.
As part of this culture of compliance, workforce members should undergo formal training at least once a year.
Utilizing technology to strengthen compliance is a must. Electronic PHI (ePHI) should always be encrypted before distribution, fortifying the data against breach.
Test the Effectiveness of Compliance Program
Keep your compliance program current by performing regular effectiveness tests. Mock breach exercises and the use of fake phishing emails are great ways to keep employees up to date on compliance.
Assess BA Compliance
It is important that Business Associates (BAs) are compliant. Conducting regular due diligence and periodic vendor audits will ensure BA compliance. Make sure Business Associate Agreements (BAAs) are in place.
This blog’s author, Sara Goldstein, Esq., will give presentations on the topic of breach management and incident response at upcoming NCHIMA, MDHIMA, and FHIMA annual meetings.
This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.