The unfortunate truth is that a security incident is more likely to happen than not. Therefore, it is critical that you take the following steps now to ensure you are prepared in the event of an audit or breach:
Explore this issue:May 2016
- Conduct a thorough review of your HIPAA policies and procedures. Confirm that those policies and procedures have actually been implemented and are effective.
- Review applicable state law to ensure that your HIPAA compliance program also complies with state health privacy laws. Many states have adopted privacy regulations that specifically address health information, and understanding these laws is a critical component of compliance.
- Assemble an incident response team (IRT). Involve legal, IT, and human resources representatives, among others.
- Draft an incident response plan (IRP). This will be your go-to document in the event of a breach and should identify the IRT and clearly describe the decision-making process when handling security incidents.
- Test your IRT & IRP. This can be done by educating and then testing your IRT on HIPAA compliance requirements. In addition, pose hypothetical security incidents to the IRT and have them follow the IRP. Once completed, revise the IRP to overcome any shortcomings noted during the hypothetical scenario.
- Perform a risk assessment. Include penetration testing of your computers, devices, and electronic health record software.
Completing these steps will not only benefit your organization by reducing the likelihood of investigations, complaints, security incidents, and significant time and money spent responding to such issues, it will bring you peace of mind in the knowledge that your organization is well prepared.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC. Contact him via email.