• Helping you with HIPAA Security Solutions.
  • Call Us (631) 403-6687
  • Office HrsMon - Fri: 9.00am to 5:00pm
Log InSign Up

What if I have a HIPAA Breach ?

What if I have a HIPAA Breach ?

According to the US Department of Health and Human Services web page there are specific steps you must take when you have a HIPAA Breach.

They are detailed at : https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

If the suspected breach involves computers or computer equipment in your office

If you think there may have been a breach and the breach involves one of your local computers you should immediately disconnect your entire network from the Internet. 

  1.      1. Disconnect your network from the Internet. The best way to do this is to pull out the connection wire between your office and the Internet. If you do not know where this wire is, ask your IT consultant. Doing this will sever any Internet connection and will STOP the transmission of any patient information from your network. This will also prevent you from using or communicating with any online software platform or tool.
  2.      2. Call your IT professional and have them come in and do a full analysis of what happened, how it happened and what can be done to prevent this from happening again.
  3.      3. Collect details about the event. Get statements from all members of your staff detailing what they know and remember about the event along with what they did. These documents will be vital as part of your investigation into what happened.

You need to know what happened, get the situation resolved and KNOW if the event was a breach AS SOON AS POSSIBLE.

It is possible that your internal investigation will determine that there was not a breach and you do not need to go any further.

If the suspected breach involves computers or computer equipment outside your office such as cloud services

  1.      1. Contact your cloud service provider immediately using a method of contact that can be documented such as email, or fax as well as an immediate phone call. The first two provide you with written proof that you reached out to the cloud provider. When you speak to a representative from the provider get their name and a reference ID for the call. Keep documentation of that phone call.

  2.      2. Double check to make sure you have a Business Associate Agreement with that provider, if not GET ONE ASAP.

  3.      3. Collect details about the event. Get statements from all members of your staff detailing what they know and remember about the event along with what they did. These documents will be vital as part of your investigation into what happened.

If the suspected breach involves a Business Associate that is not a cloud service provider

Contact your Business Associate immediately using a method of contact that can be documented such as email, or fax as well as an immediate phone call. The first two provide you with written proof that you reached out to the business associate. When you speak to a representative from the business associate get their name and a reference ID for the call. Keep documentation of that phone call.

If the suspected breach involves paper records or conversations that have been overheard by an unauthorized individual

Get statements from all members of your staff detailing what they know and remember about the event along with what they did. These documents will be vital as part of your investigation into what happened.

Concluding the Investigation

You want to complete your investigation as soon as possible. Once you have determined that a breach did occur you want to reach out to your insurance carrier (hopefully you have cyber and breach insurance) and your health care attorney. You must now follow the actions that are detailed in the Breach Notification Rule which can be found at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

When a breach happens at a Business Associate they have specific responsibilities that are outlined in the Business Associate Agreement, that is why this document is very important to have. (Read more here: https://tldsystems.com/business-associate-agreement-what-does-it-do-you

Whether the breach happened in your office or at the Business Associate you need to work with your health care attorney and insurance carrier to make sure the breach is properly reported to HHS. You must do everything you can to remediate and mitigate the impact of the breach on your patients.