The Security Scrutinizer with Howard Anderson

A Breach Response Checklist

Steps to Help Ensure HIPAA Breach Rule Compliance

New York Presbyterian Hospital has developed a breach response checklist that others should consider as they create their breach resolution game plans.

See Also: What is next-generation AML?

Nickie Braxton, compliance and privacy officer at the hospital, outlines the key components of its strategy, which was beefed up following a breach incident:

  • Investigate security incidents immediately;
  • Mitigate potential harm promptly by taking appropriate action, such as removing data exposed on the Internet;
  • Determine whether the breach represents a significant risk of harm to patients and thus must be reported to patients and regulators;
  • Report major breaches (affecting more than 500) promptly to patients, the news media and the Department of Health and Human Services' Office for Civil Rights;
  • Conduct a root cause analysis of why the incident occurred and then take remediation action.
  • Take disciplinary action against anyone responsible for the breach;
  • Educate staff about the issues involved in the breach to help minimize the risk of similar incidents.

Breach Incident

When you have this process documented, it helps you not panic because you already know what you have to do. 

Last year, Columbia University Medical Center, one of two medical centers that are part of the New York-Presbyterian Hospital organization, reported a security breach may have exposed information about 6,800 patients on the Internet. "The information was inadvertently exposed on a web page, and as soon as this error was discovered, we made sure that the web page was removed," according to a hospital statement (see: New York Hospital Reports Internet Breach).

Without discussing details of the incident, Braxton noted during a presentation at the American Conference Institute's Healthcare Information Privacy & Security Forum in Philadelphia that the breach resolution process she outlined covers the expectations of the HHS Office for Civil Rights for complying with the HIPAA breach notification rule. OCR staff investigating the breach emphasized, for example, the importance of disciplining staff responsible for a breach, she pointed out.

Also at the conference, Dawn Morgenstern of the Walgreens drugstore chain stressed the need to carefully document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs. "When you have this process documented, it helps you not panic because you already know what you have to do," she said.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.