Best Practices to Minimize Data Breach Risks and Maintain a Culture of Privacy Compliance
Data breaches in healthcare are raising alarm. Nearly 20 million patient health records have been compromised in the past two years, according to the U.S. Department of Health and Human Services (HHS). The American Hospital Association brought together senior executives from healthcare, information security, compliance, and legal disciplines to discuss best practices around creating a culture of patient privacy compliance. At the seminar, Manage Data Breach Incidents and Improve Patient Privacy in Major Care Systems, experts discussed how to achieve organizational alignment around patient privacy across large, complex healthcare organizations; how to mitigate the financial and reputational risks of data breach; and specific ways to gain support from the Board and executives to create and maintain a culture of privacy compliance.
“We assembled a panel of experts in the healthcare field committed to privacy excellence and compliance initiatives,” said Michelle Collins, marketing director of AHA Solutions. “The goal of this Signature Learning Series was to share best practices and strategies, particularly around the importance of developing a culture of patient privacy compliance. The panel was clear in their direction—build a team and leverage an interdisciplinary incident response team.”
Experts Share Five Tips to Make Patient Privacy Part of Your Organizational DNA:
1. Encrypt, encrypt, encrypt!
Kimberly B. Holmes, Esq., deputy worldwide product manager – health care, Chubb Group of Insurance Companies
“While there currently are no federal minimum standards or guidance around the quality and level of encryption that should be implemented to secure PHI, having some form of encryption applied to all PHI, and especially to PHI that is stored on mobile/portable devices, mitigates the risk of potentially serious HITECH fines/penalties when a breach occurs.”
2. Prepare for a breach.
Cheryl A. Parham, Esq., associate general counsel, New York-Presbyterian Hospital
“Identify first responders with knowledge of your organization as well as the rules regarding notification and reporting. When a breach occurs, find out the facts first, then respond—but do it timely!”
3. Have a privacy and security compliance assessment carried out every year.
Doug Pollack, CIPP/US, chief strategy officer, ID Experts
“A key action for your healthcare organization to reduce your risks of being fined by the Office for Civil Rights (OCR) is to have a privacy and security compliance assessment carried out every year, and to clearly document the remedial actions that you’ve taken to address the most severe patient data privacy risks that were identified.”
4. Find the gaps and close them.
Meredith Phillips, MHSA, CHC, CHPC, chief privacy officer, Henry Ford Health Systems
“When engaging with OCR, be a partner and show that you are being proactive. When we look at our programs, we see where there are some gaps and we tell OCR what we are going to do to fix the gaps and report back. We want to show that we are taking action to correct any issues.”
5. Prevention efforts, preparation, and a well-executed response plan.
Marcy Wilder, co-chair of the Global Privacy and Information Group at Hogan Lovells
“Prevention efforts, preparation, and a well-executed response plan can go a long way toward mitigating the financial, legal and reputational harm that a security incident involving patient information can cause. Whether a breach begins with an external attack, employee malfeasance or an innocent mistake, an organization’s initial response can help minimize harm to affected individuals and manage the risks to which an institution is exposed. To start, have a written post-breach response plan ready and tested before a breach happens.”
This article comes courtesy of ID Experts and is used here with permission.