12 Steps for Surviving an HHS/OCR Privacy Breach Investigation

The U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is aggressively enforcing rules and violations, resulting in hefty fines and causing reputational damage.

Here are 12 steps to help covered entities identify key items in their privacy and security programs that will protect the privacy of their patients before a data breach, and ensure compliance with breach notification regulations after a data breach.

PRE-BREACH STEPS 1-6

1. Assign Privacy & Security Responsibility: ensure accountability for patient privacy with a specifically designated privacy official in your organization.

2. Annual Risk Analysis: carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.

3. Address security vulnerabilities: implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment

4. Workforce privacy awareness: train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement

5. Policy and procedure completeness: develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI

6. Prepare for privacy incidents: develop procedures and tools for compliant investigation, analysis and review

POST-BREACH STEPS 7-12

7. Incident reporting: capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred

8. Analysis of incident: develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities

9. Patient notification: develop and document your notification to individuals/patients affected by the data breach, including all means used to ensure delivery of the notification

10. Mitigate harm to affected individuals: describe decisions/actions taken to mitigate the harm to individuals/patients affected by the breach

11. Notifications to regulators and media: develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media

12. Determine root cause and corrective actions: determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions

We can help. The rules and regulations are constantly changing, but you don’t have to go it alone. ID Experts is your partner in data breach prevention and response.