The Importance of Acting Quickly when a Breach Occurs
How prepared is your business to deal with the aftermath of a data breach? “Sticking your head in the sand” may seem like a tactic you may want to take after client data and your company’s reputation has been hit, but knowing what steps to take can go a long way to resolving the issue and retaining your business reputation.
In our data driven world, it is important for companies to realize that no set of security measures are completely infallible to a breach. Businesses, both big and small, are vulnerable to malware, hackers, and viruses. Let’s take a closer look at the steps you should take if a breach occurs, specifically within the healthcare field and why each step is so important.
HIPAA Requirements For Breaches
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the most important pieces of legislation to affect the healthcare industry, yet many healthcare providers and insurers are unaware of HIPAA regulations, in particular those relating to the HIPAA Breach Notification Rule.
According to the HIPAA Journal, healthcare providers and other covered entities must follow certain steps, depending on the nature of the data compromised and the number of people affected. For example, if a data breach occurs that exposes the PHI (protected Health Information) of more than 500 individuals, the Department of Health and Human Services Office for Civil Rights must be notified “without unreasonable delay,” and certainly within 60 days of the discovery of the breach. In addition, for a breach of that magnitude, a prominent media source serving the state where the victims are located must be alerted to a data breach, as well as post the breach details to the company’s website.
Likewise a data breach involving fewer than 500 individuals requires that notices be sent to all affected individuals without unreasonable delay, and within 60 days of the discovery of the breach. The media does not need to be informed of these small scale data breaches, even when they involve compromised Social Security numbers and healthcare data.
When a breach does occur, all covered entities, including their business associates, are required to notify all affected individuals that their Protected Health Information has been exposed, whether it was due to a hacking incident, a lost laptop or smartphone, or any other device that contained unencrypted PHI. The HIPAA Breach Notification Rule also applies to paper records, X-ray films, and all other physical records containing PHI. The loss, theft, or disclosure of these records also requires that the affected individuals be notified.
Advice From Breach Experts
Now that you understand the law and what is required of your IT department or consulting firm, you will want to take decisive action. Seasoned crisis communications professional Jason Maloni, the Senior Vice President & Chair of the Litigation Practice of LEVICK, advises companies to “communicate the facts including: what happened, what you're doing to solve the problem and what you're doing for those affected. Few people care what got you into this situation in the first place. They care what you're doing to make it right.”
After a digital forensics team has stopped the breach and determined the initial cause, your business will need to both handle the individuals who were impacted as well as repair company reputation. DataInsider experts suggest starting with communication within your organization, explaining what happened so that all employees will be on the same page. That information can help team members understand where the issue originated and may add to educating all employees for future threats.
In addition, business leaders will want to be open and honest about the issue and explain carefully how the issue is being mitigated. Solutions will help to encourage trust and allow for people both inside and outside the company to understand how future events will be avoided due to changes being made now. Finally, industry experts explain that having an open dialogue with those affected and media can go a long way toward building your reputation to where you want it to be.
Do you have questions about HIPAA and how to ensure that your healthcare practice is following the guidelines? Call Spectra Networks at 978.219.9752 or visit our website.