A Breach Response ChecklistSteps to Help Ensure HIPAA Breach Rule Compliance
New York Presbyterian Hospital has developed a breach response checklist that others should consider as they create their breach resolution game plans.
Nickie Braxton, compliance and privacy officer at the hospital, outlines the key components of its strategy, which was beefed up following a breach incident:
- Investigate security incidents immediately;
- Mitigate potential harm promptly by taking appropriate action, such as removing data exposed on the Internet;
- Determine whether the breach represents a significant risk of harm to patients and thus must be reported to patients and regulators;
- Report major breaches (affecting more than 500) promptly to patients, the news media and the Department of Health and Human Services' Office for Civil Rights;
- Conduct a root cause analysis of why the incident occurred and then take remediation action.
- Take disciplinary action against anyone responsible for the breach;
- Educate staff about the issues involved in the breach to help minimize the risk of similar incidents.
When you have this process documented, it helps you not panic because you already know what you have to do.
Last year, Columbia University Medical Center, one of two medical centers that are part of the New York-Presbyterian Hospital organization, reported a security breach may have exposed information about 6,800 patients on the Internet. "The information was inadvertently exposed on a web page, and as soon as this error was discovered, we made sure that the web page was removed," according to a hospital statement (see: New York Hospital Reports Internet Breach).
Without discussing details of the incident, Braxton noted during a presentation at the American Conference Institute's Healthcare Information Privacy & Security Forum in Philadelphia that the breach resolution process she outlined covers the expectations of the HHS Office for Civil Rights for complying with the HIPAA breach notification rule. OCR staff investigating the breach emphasized, for example, the importance of disciplining staff responsible for a breach, she pointed out.
Also at the conference, Dawn Morgenstern of the Walgreens drugstore chain stressed the need to carefully document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs. "When you have this process documented, it helps you not panic because you already know what you have to do," she said.