HIPAA Breach

How to Handle a HIPAA Breach?


January 21, 2017 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

If your behavioral health practice has been the victim of a HIPAA breach, it’s important to take immediate steps to remediate the breach. The sooner you take action, the better you can mitigating the damage to your organization and your patients’ privacy.

If your practice’s data has been breached, here are the first steps you should take:

  • Call your banks and credit card companies. They’ll put a lock on your accounts to prevent fraudulent transactions. This should be done IMMEDIATELY.
  • Change all of your passwords. If your old passwords were fewer than 7 characters, make your new ones longer. To increase security, use a mix of capital letters, lowercase letters, numbers, and symbols. You can refer to the NIST Guide to Enterprise Password Management for more information.
  • Notify credit bureaus that your personal identity or data has been compromised. The bureaus will put a fraud alert on your profile so that your credit isn’t damaged.
  • Use a credit report service to obtain a copy of your credit report for documentation purposes.
  • Enrolling in an Identity Theft Recovery program is highly advisable. You can begin working on a recovery plan almost immediately.

Breach Management

Once you’ve taken steps to immediately secure the situation, you’ll need to start on the path towards breach management.

You should:

  • Immediately notify your IT department or provider. Create an action plan to deal with the breach and to identify its scope.
  • Contact external companies. If you have Business Associates, vendors, or contractors whose data might have been involved in the breach, make sure to notify them immediately.
  • Notify appropriate local, state, or federal authorities. If any protected health information (PHI) was breached, research applicable laws that your practice or organization is beholden to. Depending on the size and scope of the breach, you’ll need to take different steps toward notifying affected parties–refer to the HIPAA Breach Notification Rule for more information.
  • If the HIPAA breach is severe, it may be necessary to file an FTC or police report.
  • Make sure you fully document everything you do, including the date of the breach, when you were notified, and all the steps you’ve taken thereafter–this documentation will be essential if an investigation proceeds.
Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Jim Wortham
Jim Wortham
6 years ago

Greetings and thanks for sending me information. I am interested your the certificate training program. May I do this by studying online? Or through watching DVDs and taking any tests needed? My counseling hours are crazy, as I run my own counseling center. Many blessings to you, Jim Wortham
Credentials: MA, LMFT, LCSW, LCAC

Marlene Maheu, Ph. D.
Marlene Maheu, Ph. D.
6 years ago
Reply to  Jim Wortham

At our Telebehavioral Health Institute (formerly the TeleMental Health Institute), you can complete either one of two certifications online. Choose the one that best suits you by going to this page and reviewing your options: https://blog.telehealth.org/courses

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Topics

You May Also Like…