Viewpoint: 5 Things You Should Do After a Data Breach Notification - American Academy of Ophthalmology

Log In Create an Account

For Practice Management /

Managing Your Practice /

Practice Management News & Advice

View Topics

Topics

All Topics

AAOE Program Highlights

Best of E-Talk

Webinar-Webcast

Alternative Payment Models

Billing

Buying, Selling, Merging Practices

Contracts

Coronavirus

EHRs

Financial Management

Lean Management

Managing Your Practice

Marketing

Medical Records

My Green Doctor

Optical Dispensing

Patient Satisfaction

Practice Operations

Practice Ownership

Professional Growth

Referrals

Regulatory Compliance

Risk Management

Staff Management

Strategic Planning

Sustainability

Viewpoint

Medical Records Managing Your Practice Risk Management Viewpoint

NOV 07, 2022

Viewpoint: 5 Things You Should Do After a Data Breach Notification

By DeAnn Tucker MHA-HI, RHIA, CHPS, CHPC, Jeffery Daigrepont

Add to My Bookmarks

View

Mark Complete

Remove

Comments

Viewpoint is a column created by AAOE^® specifically for ophthalmologists and leaders in practice management.

You’ve just been notified of a data breach from one of your business associates. Now what?

Here are five immediate steps that you should take to minimize reputational damage and ensure your practice’s response strategies are defensible:

1. Request all documentation from the business associate’s investigation.
It’s crucial that you determine specifically what information has been breached as this will inform your next steps. The documentation you request from the investigation should include the following:

A forensics analysis

A timeline of events

The data accessed or potentially accessed during the breach. Be sure to include these types of specific data elements:

Name

Date of birth

Social Security Number

Address

Financial information

Insurance information, etc.

2. Conduct your own risk assessment.
Your personal risk assessment may bring to light areas in your practice where you need to beef up your future cybersecurity protocols. At the very least, make sure your assessment of your current breach takes into consideration these factors:

The nature and extent of the protected health information involved, such as the types of identifiers and likelihood of reidentification

The unauthorized person who used the protected health information or to whom the disclosure was made

Whether the protected health information was actually acquired or viewed

The extent to which the risk to the protected health information has been mitigated

Most importantly, maintain all documentation to support your risk assessment determination.

3. Immediately contact your cybersecurity liability insurance provider.
Many insurance plans have very specific reporting timeframe requirements, so it’s important to not delay your reporting your breach. Be sure to check your policy as your coverage may also include investigation mitigation support.

4. Review your business associate agreement.
You will need to determine your business associate’s responsibilities in the event the breach is confirmed and requires reporting.

5. Notify your incident response team.
This includes legal counsel and senior leadership. You all need to be on same page with your legal responsibilities.

Cybersecurity breaches have been all too common during the pandemic. Review cybersecurity protocols throughout the year with staff so that both new hires and longer-term staff stay current with best practices.

About the Authors
DeAnn Tucker is a senior manager in Coker Group’s compliance division. She has over 28 years of combined experience in health information management as well as privacy and security in acute health systems.

Jeffery Daigrepont, senior vice president at Coker Group, specializes in healthcare automation, system integration, cybersecurity, operations, and deployment of enterprise information systems for large integrated delivery networks and private medical practices.
Related Articles

4 Effective Strategies to Drive Practice Growth Practice Management Blog Post
10 Tips for Optimizing Patient Volume Practice Management Blog Post
Try a Somatic Approach to Wellness Practice Management Blog Post
Ready, Set, Go!: EHR Migration Tips Practice Management Blog Post
Mind Your Health Practice Management Blog Post

All content on the Academy’s website is protected by copyright law and the Terms of Service. This content may not be reproduced, copied, or put into any artificial intelligence program, including large language and generative AI models, without permission from the Academy.