Data breach is an equal opportunity threat to hospitals and practices.  As long as you hold and process patients’ protected health information (PHI), breaches do not discriminate based on the size of your hospital system or practice. Simple things such as a stolen laptop, a missing back-up drive or unintentional human error could put your organization at risk.

Just as data breaches don’t discriminate, neither do federal regulations. Hospitals and medical practices of all sizes must comply with the privacy and data breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The organizations must comply with HITECH’s administrative burden of proof, which encompasses incident assessment, documentation, notification of individuals, media and reporting to the U.S. Department of Health and Human Services (HHS).

Here are 10 steps to take in the event of a data breach:

1. Ask, “What is the most devastating impact of the breach?” to guide your subsequent decisions and actions.

2. Mobilize your incident response team.  It is critical that you take immediate action and have a clear plan and decision-making process to avoid any delays that could create a risk of non-compliance and regulatory fines. Document and maintain an up to date incident response plan.

3. Conduct forensics and root cause analysis. It is critical to identify the scope and root cause of an incident and take immediate steps to prevent it from causing further damage.

4. Engage your selected resources. Identify external legal and breach response resources well in advance of a breach event. Ensure your selected resources have demonstrable experience working with clinics and healthcare organizations for a good fit. Make sure your vendors adhere to HIPAA/HITECH privacy and security rules.

5. Conduct an incident risk assessment. Document your investigation and risk assessment process to ensure meeting your burden of proof under the HITECH Act.

6. Notify patients. You may want to seek assistance in handling the notification process.  Most organizations do not have the resources, expertise or the infrastructure necessary to comply with the rules and avoid fines.

7. Set up a call center. Proper handling of patient calls can significantly reduce any damage to your reputation and lower overall costs.

8. Know federal and state requirements. You need to ensure compliance to both federal and state obligations to avoid risking additional penalties.

9. Report the breach to HHS and state agencies. Knowing what HHS and state agencies expect is key to compliance.

10. Be prepared for an investigation by HHS. The OCR is investigating reported security incidents. Anticipate and prepare for any document requests and make sure your vendors will support you in an investigation.

Data breach incidents are devastating and daunting to organizations of any size. But with some thoughtful and prioritized objectives and vendor selection, hospitals and practices can successfully contain the damage and even derive positive outcomes from a data breach incident.

Mahmood Sher-Jan is senior director of product management at ID Experts where he brings more than 20 years of expertise in product strategy and lifecycle management. Mahmood leads the company’s breach prevention and risk assessment products and services, including ID Experts RADAR, a HITECH incident documentation, assessment, and reporting tool. He lives in Portland, Oregon and holds a B.S. in Computer Science from University of Washington and an M.B.A. from the University of Redlands.