These few words make everyone’s heart sink. You’ve trained your employees, instituted Privacy and Security Policies and Procedures, set up all your security measures, and yet you still had a breach. What can you do? (If you haven’t taken these steps, we need to have a conversation, stat!)
In a perfect world there wouldn’t be any breaches. But, if you follow my Twitter feed, you will see there are major breaches that happen to large companies, small practices and everything in between.
What steps should you take after the fact? First, Breathe. This is going to be a long process and, for your own good, you need to make sure you manage this stress.
Here is an action list to help you through this:
1. Contact your Privacy and Security Officers and let them know what has happened. This is not the time to be obscure, or obtuse. Make sure you are honest and forthcoming about everything that has happened, what information was released or lost. The more information your Privacy and Security Officers have, the better chance they are going to have at mitigating the issue at hand.
2. If you are a Business Associate or Business Associate Subcontractor, contact the company or practice you support before moving forward. They should have a plan in place (if they don’t, we need to talk), and need to be informed as to what is going on. It is important that the two organizations coordinate their response.
3. Assess what went wrong.
A. Was this human error?
B. Were you hacked?
C. Were you robbed and a device with PHI is missing?
D. Contact your local authorities if you believe this is a criminal issue.
4. All your clients or patients affected by this breach need to be contacted. This needs to be done by first class mail, email and/or phone calls. If there is an imminent threat anyone’s information could be used, it is recommended that you call those people immediately. We have sample letters you can send to clients in our HIPAA Compliance Documents packages www.TotalHIPAA.com).
5. Document this breach: what has happened, how you mitigated it, steps you’ve taken along the way. If this breach involves over 500 people, you need to file this with HHS. You have 60 days from the day you discover the issue, or should have known there was an issue.
6. Contact the local media. This only applies if you have a breach of over 500 people. We have a sample press release in our HIPAA Compliance Documents for this purpose.
A. You need to post this press release on your website in a prominent place so clients and patients know where to go,
and whom to contact if they have an issue.
7. Optional – Often, companies/practices that have had breaches will pay for credit monitoring services for those that are affected by the breach. Again, this is not required, but can engender good will and go a long way toward mitigating any negative press.
Remember, you need a plan in place before an issue like a breach hits home.
“It does not do to leave a live dragon out of your calculations, if you live near him.”
― J.R.R. Tolkien, The Hobbit