12 Steps for Surviving an HHS/OCR Privacy Breach Investigation

Free Interactive Tool and Checklist for Healthcare Organizations, from ID Experts, Available At

OCR Survival Tool

PORTLAND, Ore. – June 7, 2011 – The U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been cracking down on its enforcement of the HIPAA/HITECH Privacy, Security and Data Breach Notification Rules, by investigating entities that have reported data breach and other privacy incidents. The message to healthcare organizations and providers is clear: OCR is aggressively enforcing rules and violations, resulting in hefty fines and causing reputational damage. To assist healthcare organizations prepare for, respond to, and successfully handle an OCR investigation, ID Experts is offering a toolkit and checklist, available free-of-charge at http://www2.idexpertscorp.com/breach-tools/ocr-survival-tool/. This interactive tool is geared for healthcare compliance, privacy and information security officers to assess privacy risks and mitigate data breach risks, to both survive an OCR investigation, and to reduce the risks of penalties and fines.

“The biggest challenge is that every OCR investigation is different and the only way an organization will survive one is if it is completely aware of the potential paths of the investigator and be prepared,” said Rick Kam, CIPP, president and co-founder of ID Experts. “We want to help organizations get control of their breach notification obligations and protect their patients' data.”

12 Steps For Surviving an OCR Breach Investigation

ID Experts offers 12 steps to help covered entities identify key items in their privacy and security programs that will protect the privacy of their patients before a data breach, and ensure compliance with breach notification regulations after a data breach.

1. Assign Privacy and Security Responsibility. Ensure accountability for patient privacy with a specifically designated privacy official in your organization.

2. Annual Risk Analysis. Carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.

3. Address security vulnerabilities. Implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment.

4. Workforce privacy awareness. Train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement.

5. Policy and procedure completeness. Develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI.

6. Prepare for privacy incidents. Develop procedures and tools for compliant investigation, analysis and review.

7. Incident reporting. Capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred.

8. Analysis of incident. Develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities.

9. Patient notification. Develop and document your notification to individuals/patients affected by the data breach, including all means used to ensure delivery of the notification.

10. Mitigate harm to affected individuals. Describe decisions/actions taken to mitigate the harm to individuals/patients affected by the breach.

11. Notifications to regulators and media. Develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media.

12. Determine root cause and corrective actions. Determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions.

About ID Experts

ID Experts is the leader in comprehensive data breach solutions that deliver the most positive outcomes. The company has managed hundreds of data breach incidents, protecting millions of affected individuals, for leading healthcare organizations, corporations, financial institutions, universities and government agencies. In healthcare, the company contributes to relevant legislation and rules including HITECH and is a corporate member of HIMSS. ID Experts is active with organizations that advocate for privacy for Americans including ANSI/Identity Theft Prevention, Identity Management Standards Panel and the International Association of Privacy Professionals. For more information, visit http://www2.idexpertscorp.com/, join in the All Things HITECH discussion via LinkedIn at bit.ly/AllThingsHITECH and follow ID Experts on Twitter @IDExperts.

# # #

Media Contact:

Kelly Stremel

MacKenzie Marketing Group

503-225-0725

kellys@mackenzie-marketing.com