Healthcare News & Insights

Steps for responding to PHI breaches

Securing patients’ protected health information (PHI) from breaches is a crucial task for any hospital to stay in compliance with HIPAA regulations. But no matter how much time, resources and energy is put into PHI security, facilities can still experience breaches. 

Being able to quickly respond to and contain PHI breaches can spare facilities from huge blows to their finances and reputations, according to iHealthBeat. That’s why having a solid security incident response plan that details a definite process for responding to security incidents is so important.

Lackluster responses

Crafting an effective incident response plan will take time, especially since the healthcare industry is rife with challenges to work around. BitSight, a firm that evaluates and rates companies’ security capabilities, ranked health care as one of the lowest performing industries in terms of cyber security.

In general, the industry has been slow to detect and respond to cyber security threats. For example: Conficker, a well-known type of malware virus, causes about 13% of technology issues in health care — a relatively high number considering the security industry already has developed effective ways of blocking the virus.

Other security issues typically stem from:

  • vulnerabilities through electronic health records (EHRs)
  • lack of threat detection controls and methods in facilities
  • limited budgets for developing PHI security and incident response tactics, and
  • insufficient information/data sharing among healthcare facilities about emerging threats and effective security strategies.

Unfortunately, since healthcare organizations have a wide variety of forms and functions, there can’t be a one-size fits all approach to PHI security. Each facility has unique proficiencies and limitations. Any PHI security or incident response efforts will have to account for these pros and cons.

Create diverse team

However, there are several important steps that can help you develop a formalized, structured incident response plan.

For one, create a team that will focus on implementing and adapting your incident response plan over time. You’ll want to include a diverse range of staff members like IT workers, security workers, privacy experts and operations staff.

Your team also should develop strong ties to your facility’s communication and legal departments, since breaches heighten scrutiny, particularly from the media. Teams will need to watch for new HIPAA regulations as changes will influence how your facility secures PHI and, subsequently, responds to breaches.

Outline steps

Plans your team develops should outline the various steps your organization will take in case of a breach.

Consider time frames for when certain actions of the incident response plan need to be done. For example, when exactly you should notify affected patients about the breach within the 60 days time frame.

The steps of your response plan should be well documented and distributed to relevant staff so they understand their duties in case of a breach. In addition, plans should provide guidance about team communications. For example, at what point do you inform and involve the organization’s leadership or board?

Having this information in writing helps other staff members understand your incident response process. Plus, a documented response process is useful in the event of a HIPAA audit, as it shows your attempts at compliance and the kind of preventive action you took. Should a breach occur, having your process in writing could reduce your penalties as well.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind