How To Manage a PHI Data Breach

As a healthcare provider, you do your best to protect your patients’ protected health information (PHI). But, despite your best efforts, you still might experience a PHI data breach. Not only is this a big deal for your business’s reputation and profitability, but it also puts your patients at risk.

Instead of panicking, it’s best to have a plan in place long before you experience a data breach. Every healthcare provider is different, but you should follow these four best practices in response to a PHI data breach.

1. Follow Your Incident Response Plan (IRP)

You need to act ASAP when you discover a breach. The right sequence of actions can help you prevent thieves from stealing more PHI — and potentially reduce the HIPAA fines you pay. An incident response plan (IRP) is a playbook that tells you the exact steps you need to follow to lock down compromised systems and stop breaches in their tracks.

Without an incident response plan, your business will scramble to act when you discover a breach. Panicking won’t solve anything, which is why it’s best to have a pre-written plan to keep you calm and focused. This way, you can always take the correct course of action, even when you’re working under pressure.

You’ll also need to assemble your team. Your IRP will detail who needs to be involved and what their role is in the PHI data breach process. At a minimum, this usually includes the C-suite, team leaders, IT, HR, and public relations.

2. Gather Evidence

It’s tempting to delete everything involved in the breach, but this will destroy important evidence you need both for internal purposes and for reporting the breach to the HHS. You need to retain information to see when the breach happened, who it affected, and what was compromised. If you delete everything, you’ll lose this critical information.

Be sure to gather documentation on:

  • When you discovered the breach.
  • How you discovered it.
  • The actions you took to respond to the breach, like changing logins or disconnecting from the internet.

3. Mitigate the Damage

Stopping the cyberattack should be your primary concern, but you also need to take steps to mitigate the damage, both now and in the future. For example, if you learn the source of a breach was employee negligence, that means your team needs cybersecurity training.

The steps you take to mitigate the damage will often depend on the nature of the breach, but some of those steps might involve:

  • Isolating the affected systems so the breaches can’t continue.
  • Disconnecting from the internet.
  • Disabling remote access.
  • Identifying all ePHI with a solution like Tausight.
  • Conducting regular risk assessments to fix your security gaps before there’s a breach.
  • Patching and updating systems before taking them back online.
  • Replacing legacy hardware or software.

Aside from fixing the damage caused by the breach, you should also analyze your breach response. Is there anything that surprised you? Anything you could have done better? Take this as an opportunity to fix your breach response plan so you’re better prepared for the next PHI cybersecurity scare.

4. Comply With the Breach Notification Rule

Once you’ve gathered enough information, you’ll need to inform other people about the PHI data breach, per the HIPAA Breach Notification Rule. If the breach involved 500+ patients, you’ll need to notify patients, the HHS, and the media within 60 days — so you need to move quickly.

If the breach affected fewer than 500 people, you still need to tell patients within 60 days of discovering the breach. However, you don’t need to report the breach to the HHS until 60 days before the end of the calendar year when the breach occurred.

At a minimum, your breach notifications need to give a brief overview of the breach, the information that was leaked, and how patients can take action to protect themselves. You’ll also need to post a notice about the breach on the homepage of your website for 90 days, with a toll-free number that patients can call to discuss the breach.

Act ASAP To Mitigate PHI Data Breaches

You have to take quick action whenever you discover a breach. That means addressing the source of the breach as well as quickly notifying patients about what happened. PHI data breaches aren’t easy to manage, but creating an incident response playbook ahead of time will help your practice better respond to breaches in a compliant manner.

In today’s healthcare environment, there’s an increasing demand for providers to share ePHI with other clinicians and organizations to provide better quality patient care, improve patient safety, and improve healthcare outcomes. With increased sharing comes increased risk, which is why it’s imperative that healthcare organizations can share PHI securely. Tausight’s Situational ePHI Awareness solution provides complete visibility into your PHI across all endpoints, monitoring PHI activity and risk as it’s created, moved, and shared.

Tausight offers continuous validation of cyber preparedness to help you maintain PHI security and avoid a PHI data breach. That includes an immutable, off-site audit trail that provides forensic-level detail to enable you to quickly reconstruct a security incident and reconstitute your system. Contact Tausight today to learn how Situational ePHI Awareness can help you avoid, prepare for, and respond to potential PHI security incidents.

profile photo of David Ting

David Ting

Founder and CTO, Tausight

Related Articles