It is an unprecedented situation where almost the whole world has become still as lockdowns are imposed to save lives. Even still, data breach incidents are still taking place, exposing sensitive patient data to hackers. Although continuous training is provided to employees so that they can detect potential threats leading to data breaches, the cybercriminals continually come up with new strategies to attack and steal patients’ PHI (protected health information). Thankfully, HIPAA rules and regulations provide guidelines to follow before, during, and even after data breaches.
The number in four months
In the first four months of 2020, over 143 incidents have taken place according to the HIPAA Breach Reporting Tool. It just shows how relentless hackers are and how much they want the data.
A recent case
Last month, Ambry Genetics reported a data breach where around 233,000 patients’ PHI was potentially compromised. The PHI exposed included data like names, medical information, limited Social Security Numbers, as well as information regarding services used by its patients.
How it detected the potential data breach
The Californian genetic testing laboratory detected the incident between 22nd to 24th January 2020. Its security team detected an anomaly – an employee’s email account was accessed by an outsider, prompting a thorough inspection regarding the matter. Ambry Genetics discovered that no attempts to misuse the information had been made, however, that does not mean that the PHI has not been compromised. Even though the officials could not detect whether the culprit got access or stole PHI from the affected account, they still sent out notifications to the affected individuals.
The aftermath
Ambry Genetics is offering the affected patients with complimentary identity monitoring services and is taking necessary preventive measures to avoid such an incident again.
In this case, Ambry Genetics did follow the HIPAA rules and regulations and notified the required parties within the specified time. However, not all organizations follow the rules. A lot of healthcare organizations report to authorized parties after the deadline, do not notify the patients within the due time, and so on. These organizations get hit with hefty fines due to HIPAA violations and can even be hit with lawsuits from patients since they failed to protect their sensitive data. So, how can this be avoided? Let’s analyze.
Some do’s and don’ts regarding data breach
Stay ahead of the curve
The best way to deal with a data breach and mitigate risk is to plan before a breach takes place. It is crucial to have a procedure in place to analyze incidents that may hamper patient data privacy and security. Developing a response plan for a breach with key officials is a good strategy, as well as ensuring that the employees who deal with patient data are on the same page regarding these matters – since they are the ones who need to be extra careful. There can be changes in state or federal reporting requirements, and staff need to be notified of such updates. Fortunately, there are some solutions to help you with this, but more on that later. Moreover, to evaluate internal and external threats to PHI, regular privacy and security risk assessments should be done.
Stick to the rules rather than reacting
There are many cases where healthcare organizations react without assessing the whole incident first. However, it is crucial that the key officials keep their cool and gather all the facts regarding the incident and evaluate the situation before responding as first reactions can complicate the matter further and can have consequences. Organizations should rather detect the incident, investigate it, determine its severity, and come up with a solid conclusion. Afterward, they can follow the HIPAA rules and regulations – reporting the breach to concerned parties, notifying patients, and so on, to ensure compliance.
Continuously monitor and adapt after the breach
Like in the Ambry Genetics’ case, there are many incidents where there is no evidence that the data has been misused. Hence, it may take some time to see the after-effects of data breaches and what hackers do with the stolen data. However, organizations need to continuously monitor the affected patients’ data. They can also offer complimentary services to mitigate any reactions from the patients, just like Ambry Genetics did. Such a gesture can go a long way, showing that you care for the patients.
Simplify HIPAA rules and regulations with HIPAA Ready
As can be seen, HIPAA compliance is a complex and continuous process. There are rules and regulations an organization needs to follow to ensure that PHI remains safe. There are updates made to the rules to adapt to changes, such as the changes now being made to handle the coronavirus pandemic more effectively.
To ensure that you are always up to date, use HIPAA Ready. It is a HIPAA compliance software that simplifies and streamlines the compliance process for your organization. Create digital checklists, report incidents, schedule training, and update and notify all your employees regarding policies and procedures, all from a single application!
