Although behavioral health clinics often have limited staff and resources, when a patient data breach strikes organization is the key to restore order. One way to do this is to create a breach and crisis outline to manage the situation, said Carolyn Hartley, president and CEO of research and consulting organization Physicians EHR, Inc.
She spoke during a webinar, “HIPAA: Challenges for Behavioral Healthcare Providers in an Electronic Environment,” hosted by Behavioral Healthcare magazine.
If a data breach occurs, the first step of a breach and crisis outline is to manage the message that will be released to those potentially affected, Hartley said. This means identifying message contents, including dates of the event and discovery, what was breached, and what’s being done to investigate the patient data breach.
The second step of the outline is referred to as “internal layers,” which looks at the processes that support the message. One of the key processes is finding a way to identify affected patients, such as looking over audit trails. Another process is to establish a hot line number for patients to call with concerns, to find out which PHI was breached and if it came inside or outside the organization.
The third step is to determine an ideal response team. The presentation noted that including an attorney and insurance agent on the team are safe bets given the legal implications. Additionally, both professionals should be in contact with the Office for Civil Rights (OCR) to get any questions answered as the data breach process continues.