Follow 7 expert-recommended steps to evaluate, document, and report breaches.
With the increase in data breach incidents—as well as the rise in HIPAA breach penalties—it’s more important than ever before for covered entities (CEs) and business associates (BAs) to develop a thorough incident response plan. Here’s what you need to do right now to protect your organization from a devastating fallout from a mishandled breach response.
Form an Incident Response Team
Payoff: “Being prepared on an organizational level can mitigate the risk of both extensive data loss and negative press,” says Diana Maier, an employment and privacy law attorney of the Law Offices of Diana Maier based in San Francisco.
“Before a breach takes place, a response team should be formed with key personnel, such as executives and privacy, legal, IT, and public relations staff,” Maier advises. “This team should inform the organization on the protocol to expect following a breach. When a breach does happen, the team should be responsible for implementing the response plan.”
Also, keep in mind that you may need to have more than one plan, depending on the kind of data involved in the incident, Maier notes.
Follow 3 Steps to Address Security Incidents
There are three phases of security incident management, which you should carry out in succession as needed, according to Jim Sheldon-Dean, principal and director of compliances services for Lewis Creek Systems LLC based in Charlotte, VT. The three major phases are:
This determination will help you to determine your next steps. If the information is not covered under breach notification laws, you would document the incident and consider it at a future periodic incident review meeting, Sheldon-Dean advises.
The basics: According to Maier, your incident response plan should vary depending on the kinds of data involved—but all plans should include the following steps after discovering a breach:
To learn more about plotting out your organization’s security incident response plan, pick up your copy of TCI’s HIPAA Handbook 2017.