12 steps for surviving an OCR breach investigation
ID Experts offers 12 steps to help covered entities identify key items in their privacy and security programs that will protect the privacy of their patients before a data breach, and ensure compliance with breach notification regulations after a data breach.
1. Assign privacy and security responsibility. Ensure accountability for patient privacy with a specifically designated privacy official in your organization.
2. Annual risk analysis. Carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.
3. Address security vulnerabilities. Implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment.
4. Workforce privacy awareness. Train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement.
5. Policy and procedure completeness. Develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI.
6. Prepare for privacy incidents. Develop procedures and tools for compliant investigation, analysis and review.
7. Incident reporting. Capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred.
8. Incident analysis. Develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities.
9. Patient notification. Develop and document your notification to individuals/patients affected by the data breach, including all means used to ensure delivery of the notification.
10. Mitigate harm to affected individuals. Describe decisions/actions taken to mitigate the harm to individuals/patients affected by the breach.
11. Notifications to regulators and media. Develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media.
12. Determine root cause and corrective actions. Determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions.