How To Handle A HIPAA Breach
HIPAA (Health Insurance Portability and Accountability Act) was passed in 1996 and mandates industry-wide standards regarding the health care information found on electronic billing and other processes. It also requires that health information be carefully protected and handled to ensure the confidentiality of patients. Basically, to remain compliant, you have to make sure that any health information you have on employees or clients must be properly protected in order to ensure confidentiality. Violations of HIPAA can result in serious financial penalties, which is why you’ll want to take every precaution necessary to avoid a breach. Unfortunately, breaches can happen. If you experience a HIPAA breach, you’ll want to do the following:
1. Respond Quickly to Limit the Damage
The moment you realize that there’s been a HIPAA breach you should begin putting together an investigation and response team to limit the damage as much as possible. This team should include the HIPAA security officer, HIPAA privacy officer, and your attorney. If you’re running a larger organization, you’ll want to include members of a HIPAA compliance committee, the board of trustees, and the board of directors as well.
2. Investigate the Breach
The investigation is going to depend a lot on how big the breach was. For example, if the breach occurred as a result of an internal mistake made by staff (such as the accidental disclosure of health information to the wrong party), then you’ll want to conduct the investigation as privately as possible. You’ll want to use the attorney-client privilege and seek counsel on how to manage the flow of information to maintain that privilege. The majority of all HIPAA breaches occur as a result of insider mistakes. When this happens, you will want to conduct private interviews with all relevant parties and gather supporting evidence, which can include letters, emails, and more.
3. Notify the Proper Parties About the Breach
Generally, you are required to inform the relevant parties within 60 days of the breach unless you were specifically told not to by law enforcement because it could hinder their investigations. When notifying the relevant parties, you will need to make sure that you communicate what happened as clearly as possible. You will have to inform them about what data was involved (for example, if their social security numbers were exposed) as well as the steps your company is taking to investigate the breach and mitigate the damage. You should also let them know what they can do to protect their information and how they can reach you for more information about the situation.
4. Perform a Risk Assessment
Once you have finished your investigation of the HIPAA breach and you have taken steps to mitigate further damage, you will need to conduct a HIPAA compliant risk assessment. This involves a full assessment related to any threats to your health data’s availability, confidentiality, and integrity. These risk assessments must be performed routinely and whenever security incidents occur. You will need to address any vulnerabilities discovered by your risk assessment to reduce the risk of another HIPAA breach in the future.
5. Protect Yourself and Be Ready
At AccuShred we go to great lengths to keep your data secure, and that’s why we now offer CSR Privacy Assessment & Data Breach Reporting Solutions for Small Businesses. CSR begins with a self-assessment questionnaire to help you identify any potential deficiencies in your data security. With the assessment complete, CSR will offer remediation suggestions to help tighten up your data security. In the event that a data breach occurs, CSR handles all of the mandated reporting on your behalf-which can be very complicated, time consuming, and expensive, especially if more than one state’s records are involved. Not all data breaches that occur must be reported, but you might not know this. The last thing you want your company’s reputation to endure is a public data breach, especially if you report it and it didn’t have to become public knowledge.
If you have sensitive health information on your hard drives and you’re planning on upgrading or replacing those hard drives, then it’s essential you have them properly destroyed. Even if you take the time to delete the information from your hard drives, deleted data can still be retrieved. The only way to completely eliminate the data (thereby ensuring HIPAA compliance) is to have your hard drives destroyed by a professional data destruction service like AccuShred. But beware, not all data destruction companies are the same. Do your homework and ask questions. You’ll find peace of mind knowing the company you choose has the equipment capable of destroying your hard drives for good. Contact us at AccuShred today to discuss how our data destruction services combined with CSR Readiness Pro can help keep your business data secure.