HIPAA Data Security Breach Checklist

The Oregon Department of Human Services (DHS) recently reported a HIPAA data breach that exposed the personal information of more than 350,000 Oregon residents. The source of this breach was a phishing email with a malicious link that multiple employees opened and clicked.

If your organization is the victim of a HIPAA data security breach, there are specific steps you must take to handle the incident in accordance with HIPAA regulations. The below is a checklist to follow.

1. Identify and Stop the Breach

Once a breach occurs, it’s vital to act quickly and identify the source. HIPAA guidelines state you must act to mitigate the effects of the breach. The sooner you know how it occurred, the higher your chances of lessening its impact. 

How you stop the breach will vary based on its source. You may need to revoke access privileges for certain employees, download critical security updates to your company’s programs or change how you retrieve and send private patient information. 

2. Notify the Department of Health and Human Services About the Breach

HIPAA rules require you to promptly report data security breaches to the Department of Health and Human Services. All notifications related to the data breach must be done within 60 days of discovering it. When you make the report, have the following information on-hand:

  • The nature of the breach and what information it exposed
  • The individual responsible for the breach (if known)
  • Whether any sensitive information was acquired or viewed by unauthorized individuals
  • The steps you’ve taken to mitigate damage related to the breach

3. Notify Patients of the Breach

You need to issue notifications to the patients whose information was exposed by the breach. The notification should let the patient know what steps they can take to protect themselves from the potential exposure of their information. It’s also required you tell the patient what you are doing to investigate the breach and prevent future breaches from occurring.

4. Issue a Notice to the Media Regarding the Breach

If the breach exposes the information of more than 500 patients, you must issue a notice to the media about it. This increases the likelihood affected patients will learn about the breach and understand what steps they should take. 

Take Proactive Steps to Protect and Increase Your HIPAA Data Security

Though it’s important for your organization to know how to properly handle a HIPAA data breach, you should take steps to prevent a breach from occurring in the first place. Working with a company well-versed in HIPAA data security, like Network Security Associates, can help you identify steps to take to secure your networks and boost adherence to HIPAA guidelines. Contact us at 702-547-9800 to set up a network inspection. This will identify any problematic areas and offer suggestions for better securing your patients’ data.