This time we’re going to take a look at HIPAA Incident Response Plans (IRP). An IRP is something that every practice should have, regardless of size or field of expertise. Pay attention, because an IRP can relate to the first 3 topics of this blog series: Safe Harbor, Willful Neglect, and Policies.
So, I know an Incident Response Plan is necessary, but what exactly is an IRP?
An IRP needs to be followed for any HIPAA security breach, and is the practice’s guidelines and policy that determines the proper course of action.
Every practice should have a team set up to react to a security breach. Generally, those who manage data will be in charge, but everyone should be ready to help. The make-up of the response team will be different for each practice due to differences in size and focus.
The response team will then follow their practice’s IRP. Each IRP may be different, but all of them need to address certain questions and issues.
What sort of questions and issues?
Obviously, finding out what happened is key. What was breached? How? When? It’s important to gather all possible data regarding the breach. The more that is known, the easier it will be to respond.
Once the nature of the breach is known, putting a stop to it needs to be the highest priority. The longer an exploit in the practice is present, more information has the potential to be stolen. An exploit doesn’t necessarily have to be a technical thing either: A broken window or lock can be exploited to gain access when nobody is around. Fix whatever issue exists.
Find out what was breached. How much data? Whose data? What kind of data? There’s going to be a lot of explaining to do, and knowing whose data was breached goes into the next step.
Inform the people whose data has been breached, if required. Identity theft insurance may need to be purchased for each individual whose data was stolen. It’s not just the people who need to know, though, certain government agencies will need to be told based on different regulations. Depending on the size of the breach, local media may need to be informed as well. If you qualify for safe harbor provisions, things at this stage may be a lot easier.
Finally review policies and procedures within the practice that need to be added or changed in order to prevent a breach from happening again. A good IRP is worthless if nothing is learned from it.
Also, it goes without saying that everything above needs to be thoroughly documented. Depending on the severity of the breach, government agencies may open an investigation, and proper documentation can make a huge difference in the way an investigation plays out.
Okay, so, just keep electronic data safe and encrypted, yes? Then there won’t be a need to worry as much about a data breach!
Well, it’s true that electronic data should be kept safe and encrypted, but that’s not the only way a HIPAA data breach can occur. Written documents can be stolen or copied. Information breaches can even occur verbally. While somebody overhearing a conversation between two doctors may not seem like a big deal, it is a breach and policies were probably not being followed to allow that situation to happen. It’s important to take into account all ways that private data can be obtained.
Yes, data breaches can be an unpleasant thing to think about, but knowing what to do in response to one is just as important as preventing one in the first place.