In 2021, HIPAA breaches exposed more than 45 million patient records to hackers and marked a new annual record for HIPAA-related information offenses.
HIPAA data violations not only put sensitive patient information in the hands of nefarious actors, but they also open your practice up to serious fines and penalties. Even unintentional HIPAA breaches can result in penalties up to $50,000 per violation (or more!).
Unfortunately, HIPAA data breaches can happen to just about any practice, including yours. You can, however, mitigate the subsequent financial and legal consequences of a breach by having a
Under HIPAA, your practice is actually required to have a HIPAA incident response plan, but there are no legal rules for how extensive your plan must be. The law does recommend a variety of steps you must take to have a complete HIPAA incident response plan, but the first three steps you take can be the most impactful.
The steps you take early on can determine whether you’re able to stem the flow of private patient information and seal up the leak before your practice is in an even bigger mess. The initial three steps after you discover a HIPAA breach are identifying the source of the breach, tracking what’s been compromised, and containing the situation to prevent further data loss.
Having these early steps mapped out allows you to avoid hasty, panicked decisions that can make matters worse, such as destroying evidence or losing critical data.
1. Identify Breach Source
In this first step, you must determine when the data may have been compromised and what sort of leak occurred. Your internal malware prevention software can help with this. If you’ve got malware prevention software on your computers, it should alert you if something has been downloaded that could compromise your data.
It’s crucial that you train all your staff on how your practice will be notified of potential threats. For example, one person’s computer may show a notice while another’s may not. What steps your staff must take should be part of your documented HIPAA training for all employees and should include:
- What to look for (ex., Alerts from malware or antivirus software, suspicious emails, etc.)
- What action to take when a problem is discovered (ex., Take a screenshot of an alert or email)
- Who to contact (ex., Practice manager, IT team, etc., and should include all pertinent names, phone numbers, and email addresses)
- What should happen after they’ve notified someone (ex., Leave computer on and don’t touch it, etc.)
2. Track Compromised Data
The next important step is to successfully implement a plan to manage a data breach. This will help you identify what type of data was accessed and how much has been compromised.
Your HIPAA incident response plan should include methods for determining both cyber breaches and human-caused leaks (such as when a staff member releases patient data over the phone or at the front desk).
Determining the exact data that was compromised may take a significant amount of time, but it’s important. It will help you identify whether the leak was a one-time issue or could still be ongoing. There are typically two primary sources of access to your patients’ information:
- Cyber Breaches: When your data is accessed over the Internet, you will likely work with an IT team to identify exactly how the data was accessed (i.e., email, portal, etc.), which records were accessed and how much of your patients’ information was released. As your team uncovers the answers to these questions, be sure to keep careful, complete records of any findings. This documentation should be included when you ultimately report your breach.
. - Human-Caused Leak: If someone at your office is the source of your patients’ information being leaked, you need to take immediate action. As soon as you find out, you should sit down with the person or people responsible (or anyone who may have information) to ferret out the details. Your goal is to determine exactly what data was given out, who was involved, and how it was distributed. As you investigate, be sure to take detailed notes that can be used later if you end up being investigated.
3. Contain the Situation
Finally, your HIPAA incident response plan should include procedures for containing both cyber and human data leaks.
- Cyber Breaches: Your IT team will likely lead the charge on determining what needs to be done to stop further data loss, such as removing malware from computers. Once the situation has been contained, schedule a staff training session that walks them through the specifics of the incident and what steps they need to take to hopefully prevent something similar from happening in the future.
. - Human-Caused Leak: Regardless of whether your staff accidentally or intentionally leaked your patient data, you must implement a plan and train your staff on it to help reduce the chances of it happening again. Your incident response plan should also include any disciplinary action that will occur if an employee is found to be responsible for a breach. These consequences should be spelled out in your HIPAA training that is given to your team.
To help your staff remember what action to take should a data breach occur, consider creating a printout to keep at all employee workstations. This can help serve as an easy visual reminder of the necessary first steps to take so your staff doesn’t panic and accidentally make matters worse in the moment.
Having these three steps written out in your HIPAA incident response plan allows you to quickly put them into action when you discover a breach, prevent things from getting worse and potentially decrease any fines your practice may face.
Note: Another common access point for HIPAA breaches is email. This blog post will provide you with multiple tips to help you when training your team to avoid such attacks.
When it comes to HIPAA violations, an ounce of prevention can easily outweigh a pound of cure. Keep sneaky, common HIPAA violations from causing you major headaches by attending Healthcare Training Leader’s online training session, Prevent Most Common HIPAA Violations and Massive Penalties. This 90-minute session walks you through the steps you need to take to insure your practice’s HIPAA policies and procedures are up to snuff and help you avoid trouble. Access this training today.
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|