No matter how effective your safeguards may be, healthcare facilities are always exposed to different types of security threats. Under the HIPAA Security Rule, a security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with information in an information system. In simple terms, a HIPAA security incident is an attempt to do something unauthorized. The HIPAA law requires covered entities and business associates to develop robust incident management and response plans under the Security Incident Procedures standard of the HIPAA Security Rule.
HIPAA Incident Response
Despite having well-established policies and procedures, robust training programs, and commitment to overall HIPAA compliance, breaches can still occur. Organizations that deal with protected health information (PHI) must develop a response plan for these incidents, documenting them appropriately, and determining the root causes to prevent further occurrences. Here are some of the best practices to keep in mind:
Act efficiently when a breach occurs
Whenever a breach takes place, an organization will have 60 days to address it. How an organization responds will vary depending on the severity of the compliance issue. Even though it may be tempting to wait before addressing the problem, providers should act immediately. If they don’t, they might risk an onsite visit and receive potential penalties if a staff or a patient reports the incident to the HHS. Official bodies want to see that an organization is aware of the incident and has made solid efforts to address the issue. Demonstrating this commitment can help mitigate the risk of receiving penalties.
A key element of HIPAA compliance is documentation, and documenting the incident is no less important. When a HIPAA breach takes place, organizations must document what, how, when, and where it occurred. Organizations can approach this in a variety of ways, including spreadsheets or paper files. The problem with spreadsheets and paper files is that information stays unorganized and finding the correct file when necessary can be a hassle.
With HIPAA Ready this process is simplified. Not only can you streamline other HIPAA processes like training and audits, but you can also develop and establish a constructive response plan and procedures. In a single, centralized platform, you can note the date of the incident, what happened, who was involved, what was done in response, and how you plan to prevent such issues going forward.
Be upfront with patients
When a patient’s health information is inadvertently compromised, providers should be transparent with their patients about what happened, how it happened, and what is being done to fix the situation. A letter to the patients may be enough, but organizations should find a way to discuss the problem with the patients in person to ease their concerns. In the end, if a patient files a complaint to the OCR, the organization will run the risk of facing severe consequences.
Step by step guide on the incident response with HIPAA Ready
HIPAA Ready is a one-stop solution for HIPAA compliance. With both a web and mobile application, this robust HIPAA compliance software streamlines a variety of tasks, such as workforce training, risk assessment, internal audits, policy management, HIPAA incident response management, and much more.
Here’s a short demonstration of how to create and manage incidents using HIPAA Ready via either web or mobile devices.
Scenario: Suppose Jack has witnessed Jill stealing passwords that are used to access electronic protected health information (ePHI).
Step 1: By clicking on the “Incident” tab within HIPAA Ready’s platform, Jack will be able to see a summary of previously logged incidents, outlining the title, date of the incident, and whether the situation has been remedied or not. To create a new incident, Jack can simply click on the plus (+) icon.
Step 2: After clicking the plus icon, the page will redirect to the “Incident Information” page. Here, Jack can see that an incident ID number has automatically been generated for him. Jack will need to fill in the following fields: incident title, a brief description of the incident, attach any media files of the incident (such as a photo or video clip), select a project that corresponds with the incident, the date that the incident occurred, the date the incident was discovered, the date the incident was reported, whether it was reported by a vendor or not, and whether the incident occurred because of or by a business associate. Next, Jack will need to select the employee who reported the incident and select the facility at which the incident occurred, which will then automatically pull up the site where the incident occurred.
Step 3: Jack will now be taken to the “Incident Details” page. Here he will be required to fill in the following fields: format (did the incident occur in a paper, electronic or verbal format), the type of incident, and the location of the incident. Once Jack has done all of this, he will just need to hit the Save button.
This will take Jack to the details page of the incident that he has just logged, where he will be able to edit or delete the incident. The next step is to create an investigation for the incident.
If you are interested in learning more about the whole process and HIPAA Ready, please get in touch with CloudApper today or leave a comment below.