HIPAA Breaches: What to Do in a HIPAA Breach?

As of December 2018, there were over 4,500 HIPAA complaints remaining open. Every year, thousands of HIPAA complaints and violations get addressed and eventually resolved, sometimes with corrective action. Do you know what to do if an employee commits a HIPAA breach?

A HIPAA violation is a serious matter that you'll need to address carefully. In this guide, we'll help you understand exactly which steps you need to take in this situation and show you how to minimize the damage.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s technical safeguards. A risk assessment also helps reveal areas where your organization’s electronic protected health information (ePHI) could be at risk. Fines for a data breach at your practice could range from $100 to $50,000 per violation/record. Since 2011, over 21,000,000 health records have been compromised. Dental and orthodontic practices are well-known targets for hackers because of relaxed security practices that leave networks easy to exploit.

Assured Tech Services is trained to manage and mitigate a HIPAA breach. If this happens you can reach us at 248-243-7160 or email support@assuredtechservices.com.

Keep reading to learn what to do after a HIPAA breach notification.

HIPAA Breach Definition

Working in the medical industry, in any capacity, means you've heard of HIPAA laws. However, knowing that they exist isn't the same thing as knowing exactly what a HIPAA breach means.

Anytime health information protected under HIPAA gets accessed, used, disclosed, shared, or otherwise distributed to someone who doesn't have access under HIPAA laws, that's a breach.

This can happen both intentionally and unintentionally. Lots of times, people think of HIPAA breaches as things that happen when someone deliberately steals information. But it's also possible to accidentally share information to the wrong parties, and that also creates a HIPAA breach situation.

Also, it's important to keep in mind that not all HIPAA breaches are the same. Some are more serious than others. For example, you might have accidentally made information available, but maybe no one actually viewed it. That's a much less serious breach than if the information was seen by hundreds of people.

That said, every HIPAA breach needs to be taken seriously, because it's all too easy for one to turn into a serious situation. Next, we'll take a look at the steps you can follow once you're aware of a HIPAA violation.

Receive a free HIPAA Pre-Risk Checklist now by filling out the following form.


What to Do After a HIPAA Violation

Following these steps as quickly as possible is crucial for minimizing the damage after a breach. Take care to confirm that a breach actually happened before you follow through with these steps. 

1. Take Immediate Action

You might be aware that there are certain HIPAA notification requirements you'll need to follow after a breach. However, your first step should always be taking immediate action to halt the damage.

This means closing the information back up so it's no longer viewable, accessible, or getting actively shared. The exact steps you should take to accomplish this depend on how the breach occurred. For example, if some people on your team were incorrectly granted access to HIPAA-protected information, your first step would be to reverse their access.

Starting with step one, you should also carefully document every action you take.

2. Speak to Those Who Accessed the Information

If you can reach the people who incorrectly viewed or accessed the protected information, you can also help keep the damage to a minimum.

Try to track down everyone who encountered the information and let them know how important it is that they avoid using or sharing that information. This can help stop the breach from becoming even more serious.

Again, document these steps, including the responses you get, if you can.

3. Fulfill Notification Requirements

Now that you've done as much damage control as possible, it's time to start meeting the HIPAA breach notification requirements.

Ideally, you'll already have a notification plan in place before the breach happens. This will help everything move forward much faster. You're required to make all of your notifications no more than 60 days after becoming aware of a breach, if the breach impacted over 500 patients. 

The first and most important people to notify is anyone who was affected, or could be affected, by the breach. In fact, you'll want to do this step at the same time as the first two steps on this list, or as soon as you can.

It's very important that you let patients know right away when their information has been compromised. This notification isn't optional -- it's a requirement.

If the breach was large, your next step is to notify the media. This is also required, at least in cases where over 500 people were impacted. The media will help make sure that anyone affected gets alerted to the situation. 

Finally, you must contact the Health and Human Services Department. After this, you've fulfilled the U.S. breach notification requirements, but make sure to also check the requirements of your state, which could be stricter.

4. Investigate the Breach

Once you've completed all of these time-sensitive steps, you can turn to your investigation. You should also try to complete this as fast as possible. Investigating soon after the breach tends to lead to better results than if you let your investigation wait till later.

Try to trace the breach back to the root cause. Then, find ways to prevent the same situation from happening in the future. For example, if it was a case of giving incorrect access permissions to your staff, maybe you need a two-step process so it's not so easy to accidentally give the wrong permissions.

You'll also need to find out exactly who committed the breach. You may need to take disciplinary action, or in worst-case scenarios, terminate their employment. It's also good to consider having some all-staff trainings so they can help prevent the same situation from happening again.

As you talk about the breach, take care that you're not giving out protected information as a part of the discussion. Focus your attention on preventing future breaches, as well as minimizing the damage of this one. 

Are You Prepared to Protect Your Patients?

The best way to handle a HIPAA breach is to make sure one doesn't happen in the first place. If you don't have a protocol for preventing breaches, it's time to review your processes and put one into place. Don't forget to also tell all of your staff exactly what to do anytime they suspect a HIPAA violation.

Today, many breaches happen due to technical issues. You can prevent them by hiring top-quality IT services. Fill out this simple form to learn more.

HIPAA breaches require immediate action to protect your customers.

HIPAA breaches require immediate action to protect your customers.