This column is about a security incident that my company caused earlier this year. It’s a long and detailed description. I’m confident that those of you have never been through a security incident will find the article tedious. I invite you to read just the ending on lessons learned, or save your hard-earned free time for one of HIStalk’s other excellent columns.
The article above does an excellent job of presenting a "blow-by-blow" (literally in some case) analysis of what it is like to experience, and effectively manage, a data breach (in this case a subcontractor of a business associate). It is a process fraught with complexity and risk, requiring rapid fire decision making and analysis while at the same time collaborating with a host of stakeholders and advisers (e.g. business partners, government agencies, executive management, legal, etc.).
That is one of the reasons that our Model Business Associate Contract requires a covered entity and a business associate to develop a breach communication plan thirty days (you can obviously substitute your own number) after the execution of the contract. When (usually not if in our current environment) a breach occurs you at least want to have some basics in place with respect to a game plan.
Although MAeHC apparently did an excellent job of working their way through these challenges, they were literally inventing the plan as they went. To be clear, some of this is unavoidable, but having a breach notification framework in place before the fact would go a long ways toward providing a degree of sanity in an otherwise chaotic business decision making environment.
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.