Breach Notification Planning Tips – Three Biggest Gaps

This entry is part 3 of 7 in the series Breach Planning Tips

The interim final breach notification rule, now in effect, requires Covered Entities to report breaches to federal authorities as well as those affected.  With the number of breaches growing on the HHS "Wall of Shame", and over 3% of the American public having Protected Health Information impermissably disclosed, organizations are now focusing their efforts on preventing breaches.  We've encouraged you to work on your plan … now! Many of you asked: What are the biggest gaps Covered Entities are exhibiting?Of course, the gaps vary by size, sophistication and type of organization.  Let me place them in three buckets:

  1. The Unaware / Misinformed - At the sad extreme, there are many organizations that are not even aware of their obligations OR are under the mistaken perception that, as an Interim Final Rule, Breach Notification does not have the force of law – it does.
  2. The Pre-Breach Unprepared – On a pre-breach basis, the single biggest mistakes fall into the category of simply failing to take basic preventative steps.  The classic example is the failure to complete a risk analysis to identify exposures and prioritize risk mitigation actions.  In this domain, the specific and ridiculous example of failure to implement basic controls is illustrated by the number of preventable breaches that appear on the HHS Breach ‘Wall of Shame’.   Think “secure it or destroy it”.
  3. The Post-Breach Unprepared – post-breach, there are many organizations that are totally unprepared to “scale” to address the size of breach; they fail on the organization's capacity and expertise to handle.  Taking calls for billing and customer service is not the same skill as handling ID Theft calls from irate patients or plan members.

Learn more…

  1. Read more on HealthInfoSecurity.com: Data Breach Planning Notification Tips – How to Avoid Creating Unnecessary Risk
  2. Download the 15-minute Podcast
  3. Join our new AboutHIPAA LinkedIn Group – http://abouthipaali.org/

See our list of upcoming live webinars, or check out our on-demand webinars with resources you may have missed.

Series Navigation<< Breach Notification Planning Tips – You Should Have a PlanMost important elements of a breach notification plan >>
Share

Trackbacks/Pingbacks

  1. Breach Notification Planning Tips – Key Lessons Learned « IT-Security.BlogNotions - Thoughts from Industry Experts - 10/26/2011

    [...] Breach Notification Planning Tips – Three Biggest Gaps [...]

Leave a Reply