5 tips for preparing for a potential privacy incident or data breach
February 16, 2012 in Medical Technology
Last year, health data breaches were up 97 percent, with all 50 states experiencing some sort of breach and 385 incidents affecting more than 19 million people. Experts agree: If ever there were a time to protect and prepare against breaches, that time is now.
Mahmood Sher-Jan, vice president of product management at ID Experts, believes not only in damage control after the fact, but also taking the necessary steps to prepare for the fact a breach or incident may very well occur. He gives us five tips for preparing for a potential privacy incident or data breach.
1. Do your due diligence. Have tools in place to know when information, such as PHI or PII, could be at risk, said Sher-Jan. Although this is required for organizations and business associates under various state laws and the HITECH Act, Sher-Jan emphasized the importance of procedures to help monitor and check if or when incidents or breaches have occurred. And once it’s determined sensitive information could be at risk, he continued, the next step is to know the various definitions of what constitutes a breach of information. “[It’s] very specific under the various definitions,” he said. “For example, HITECH defines a breach as an unauthorized acquisition, access, use, or disclosure of protected information under the HIPAA Privacy Rule.” In a way, though, added Sher-Jan, this is where some controversy lies, “in that disclosure poses a significant risk of financial harm to the affected individual [as well], so often in the industry, people refer to that as the ‘harm threshold.’”
[See also: 5 patient-centered social media risks.]
2. Be prepared to know about an incident the moment it occurs. Not only are organizations obligated to detect incidents, said Sher-Jan, but also the rate at which they detect incidents is becoming increasingly important. “The clock doesn’t start ticking from the time the incident is discovered,” said Sher-Jan. “Now, the stipulation is the clock starts from the time the organization should have known and should have had the right things in place.” Based on his experience, Sher-Jan continued, people tend to think if they don’t look for incidents or breaches often, they won’t be held responsible if when occurs. “They think, ‘When I find out, that’s when the obligations begin, and I have a certain amount of time to react to it,’” he said. “But now, the OCR can find you’re deficient in your mechanisms and controls for protecting information, and once it’s disclosed an incident has occurred, then can go back and figure out when, reasonably, you should have known about it.” Lastly, he added, it’s important to remember that “not all incidents turn into breaches, but all breached begin as incidents; that’s one way to realize all incidents require attention.”
Continued on the next page.