What to do after a security breach


What to do after a security breach

Unfortunately, medical data security breaches are a larger part of practicing medicine than they should be. In the 2013 HIMSS Leadership Survey, 19 percent of health IT professionals from provider organizations indicated their organization faced a security breach within the past year.

Implementing practices to avoid a medical data breach greatly reduces the risk of encountering one. In the event that you do, however, you need to be prepared to take action that lessens the repercussions from patients, the public and, of course, HIPAA.

Today we look at the fictional security breach of Dr. Pepper’s practice and what he did to minimize the damage.

One sunny Friday morning, Dr. Pepper is on the way to his practice when he receives a call from his office manager.  She tells him the practice was broken into, and a computer holding unencrypted patient data is missing. Dr. Pepper is shaken and about to blow his cap.

He knows about the maximum fine of $50,000 for HIPAA security violations, so he’s feeling the pressure. Fortunately, he remembers his practice’s procedure manual contains a quick checklist of what to do in case of a security breach. It reads:

  • If data is stolen, notify the local police and file a report.
  • Attempt to isolate and take down the data so the compromised information can’t be used.
  • Follow the HIPAA Breach Notification Rule:

Individual Notice -- Notify all individuals affected by the security breach via first class mail, or if agreed upon before the breach, through email.

Media Notice -- If more than 500 patients are affected, provide notice to prominent local media outlets.

Notice to the Secretary -- Submit a breach report form to the Health & Human Services Secretary of breaches.

Notification by Business Associate -- If a business associate is the cause of the breach, gather the identity of each affected individual from the associate for notification purposes.

  • Find and plug the hole that caused the security breach.

Dr. Pepper followed the checklist precisely, but one of his patients still filed a complaint with the Office of Civil Rights. Yet, because he covered his bases, he was only hit with a relatively small penalty of $1,000, the minimum for a HIPAA violation due to reasonable cause.

In the end, Dr. Pepper was down $1,000 and a computer, but things could’ve been far worse.

And in the big picture, minimizing the damage to both your image and pocketbook is all you can ask for when managing a security breach. Handling the situation like our fictional Dr. Pepper should help you do that, but hopefully you’ll never be in the same position.

Did you know a cloud-based EHR could lessen potential security risks? Additional information can be found in PowerYourPractice's Intel Cloud Computing Whitepaper.

Salvador Lopez is a CareCloud content writer focusing on practice marketing, practice management, patient treatment and practice workflow. His work can be found on PowerYourPractice and the CareCloud blog. Follow him on Twitter: @SalvadorPYP.