9 Steps to Take If You Suspect a HIPAA Breach

CyberApp - Checklist Tablet

1. Containment

   Take immediate action to prevent further disclosures (e.g., prevent access caused by computer virus, or stop the entity responsible for the breach such as a vendor or work force member).
   Document your efforts.

2. Find and follow your breach policy. And, if you are a business associate, find and review your business associate agreements.

3. Assemble the persons necessary to respond to the incident (incident response team)

   Notify the privacy and security officer.
   Consider contacting legal counsel.
   Determine the need to notify senior management, IT, human resources, public relations, compliance, security, or facility services.
   Determine the need to notify law enforcement.
   Add members to the incident response team as needed.
   Notify your insurance carrier if indicated.
   If you are a business associate, prepare to notify the relevant covered entity as agreed to in the business associate agreement.

4. Conduct a complete investigation

   Get a description of the details, including what happened, who discovered the incident, and when and how it was discovered.
   Discover what data was compromised (compromised data is data that was, or may have been, disclosed).
   Determine if the incident qualifies as a HIPAA breach. Determine if the incident qualifies as a state privacy breach.
   Document your efforts.

5. Provide notice as required by federal and state law

   Provide notice to the individual within 60 days of the discovery of a breach.
   Provide notice to the media. If more than 500 individuals are affected by the breach, notice must be placed in the media within 60 days of discovering the breach.
   Provide notice to the Secretary of HHS. If less than 500 individuals are affected by the breach, the breach must be reported to the Secretary by March 1 of the following year. If more than 500 individuals are affected by the breach, the breach must be reported to the Secretary within 60 days of discovery of the breach. This notice is done electronically through a link on the HHS website.
   Determine the need to provide notice to other parties (e.g. state licensing agencies, Centers for Medicare and Medicaid Services).

6. Mitigate damages

   Take steps to prevent further disclosures of data if possible, such as requesting original documents be returned or destroyed. Attempt to get written confirmation of such action.
   Prepare a communication plan to cover communications with affected individuals and to provide them with helpful information.
   Consider providing contact information to law enforcement, the state identity theft hot line, or the FTC.
   Consider providing credit monitoring for affected individuals.
   If a business associate caused the breach, consider terminating that relationship.

7. Develop a Correction Plan

   Identify and implement the steps necessary to prevent a repeat incident.
   Review and update any policies as appropriate.
   Provide training or retraining to employees.
   Take sanctions against employees as indicated.

8. Document

   Document all phases of the incident response, from the discovery through recovery phases.
   Maintain records for six years.

9. Perform a Risk Assessment

   Review and test the effect of the changes implemented.
   Identify any new risks and take appropriate corrective action.
   Document your efforts.