How to survive a privacy breach audit
The message to healthcare organizations and providers is clear: OCR is aggressively enforcing rules and violations, resulting in hefty fines and causing reputational damage.
That said, there are some important steps HIPAA covered entities can take pre-breach and post-breach to help reduce the risks associated with having to report a breach incident, according to Portland, Ore.-based ID Experts.
The U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been cracking down on its enforcement of the HIPAA/HITECH Privacy, Security and Data Breach Notification Rules, by investigating entities that have reported data breach and other privacy incidents.
[Editor's Desk: Barely visible, big-impact health IT projects.]
To assist healthcare organizations to prepare for, respond to, and successfully handle an OCR investigation, ID Experts is offering a toolkit and checklist, available free-of-charge. This interactive tool is geared for healthcare compliance, privacy and information security officers to assess privacy risks and mitigate data breach risks, to both survive an OCR investigation, and to reduce the risks of penalties and fines.
"The biggest challenge is that every OCR investigation is different and the only way an organization will survive one is if it is completely aware of the potential paths of the investigator and be prepared," said Rick Kam, CIPP, president and co-founder of ID Experts. "We want to help organizations get control of their breach notification obligations and protect their patients' data."
ID Experts offers 12 steps to help covered entities identify key items in their privacy and security programs that will protect the privacy of their patients before a data breach, and ensure compliance with breach notification regulations after a data breach.
1. Assign Privacy and Security Responsibility. Ensure accountability for patient privacy with a specifically designated privacy official in your organization.
2. Annual Risk Analysis. Carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.
3. Address security vulnerabilities. Implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment.
4. Workforce privacy awareness. Train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement.
5. Policy and procedure completeness. Develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI.
6. Prepare for privacy incidents. Develop procedures and tools for compliant investigation, analysis and review.
7. Incident reporting. Capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred.
8. Analysis of incident. Develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities.
9. Patient notification. Develop and document your notification to individuals/patients affected by the data breach, including all means used to ensure delivery of the notification.
10. Mitigate harm to affected individuals. Describe decisions/actions taken to mitigate the harm to individuals/patients affected by the breach.
11. Notifications to regulators and media. Develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media.
12. Determine root cause and corrective actions. Determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions.