How to Handle a HIPAA Breach?
Most U.S. Clinicians are Unclear about How to Protect Client/Patient Privacy after a HIPAA Breach
Roughly half of American adults had their personal information hacked in 2014 alone, according to a report from CNN Money. If your behavioral health practice has been the victim of a HIPAA breach, it’s important to take immediate steps to remediate the breach. The sooner you take action, the better you can mitigating the damage to your organization and your patients’ privacy.
If your practice’s data has been breached, here are the first steps you should take:
- Call your banks and credit card companies. They’ll put a lock on your accounts to prevent fraudulent transactions. This should be done IMMEDIATELY.
- Change all of your passwords. If your old passwords were fewer than 7 characters, make your new ones longer. To increase security, use a mix of capital letters, lowercase letters, numbers, and symbols. You can refer to the NIST Guide to Enterprise Password Management for more information.
- Notify credit bureaus that your personal identity or data has been compromised. The bureaus will put a fraud alert on your profile so that your credit isn’t damaged.
- Use a credit report service to obtain a copy of your credit report for documentation purposes.
- Enrolling in an Identity Theft Recovery program is highly advisable. You can begin working on a recovery plan almost immediately.
HIPAA Breach Management
Once you’ve taken steps to immediately secure the situation, you’ll need to start on the path towards breach management.
- Immediately notify your IT department or provider. Create an action plan to deal with the breach and to identify its scope.
- Contact external companies. If you have Business Associates, vendors, or contractors whose data might have been involved in the breach, make sure to notify them immediately.
- Notify appropriate local, state, or federal authorities. If any protected health information (PHI) was breached, research applicable laws that your practice or organization is beholden to. Depending on the size and scope of the breach, you’ll need to take different steps toward notifying affected parties–refer to the HIPAA Breach Notification Rule for more information.
- If the breach is severe, it may be necessary to file an FTC or police report.
- Make sure you fully document everything you do, including the date of the breach, when you were notified, and all the steps you’ve taken thereafter–this documentation will be essential if an investigation proceeds.
HIPAA Breach Resources
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
For more information about what you can do to protect your behavioral health practice, see these upcoming HIPAA educational webinars.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.