Incident response to security breaches involving PHI
Incident Response Procedure for Security Breaches Involving ePHI
Osteopathic Family Medicine, LLC

Key Points for Employees
Purpose
  • Ensure compliance with HIPAA in the event of a security breach involving electronic Protected Health Information (ePHI).
  • Provide clear roles, responsibilities, and actions for all staff.
Roles and Responsibilities
  • Dr. Aaron Way: Primary Lead for coordinating responses, external communication, and ensuring compliance.
  • Jessica Lindberg (Office Manager): Manages incident documentation, staff coordination, and follow-up.
  • All Staff (Midlevel Providers, Medical Assistants, Front Desk Staff):
    • Report incidents immediately.
    • Follow response instructions.
Key Steps in Incident Response
1. Preparation
  • System Details:
    • EMR: Amazing Charts.
    • Nightly on-site and off-site backups.
    • Secured server location.
  • Training:
    • Complete HIPAA Secure Now training.
2. Detection and Identification
  • Monitoring:
    • Regularly review access logs and server activity for suspicious patterns.
  • Reporting:
    • Report suspicious activity to Jessica Lindberg or Dr. Aaron Way immediately.
  • Initial Assessment:
    • Dr. Way confirms if the event is a security breach involving ePHI.
3. Response and Containment
  • Immediate Actions:
    • Disconnect affected systems.
    • Secure server physically.
    • Ensure off-site backups remain unaffected.
  • Documentation:
    • Jessica Lindberg records breach details and risks.
4. Assessment and Mitigation
  • Investigation:
    • Identify the root cause using forensic tools and Amazing Charts' support.
  • Mitigation:
    • Restore systems using secure backups.
    • Address vulnerabilities (e.g., software updates, access controls).
  • Assess Impact:
    • Determine scope and type of data affected.
5. Breach Notification
  • Timing: Notify affected parties, HHS, and media (if applicable) within 60 days.
  • Individual Notification: Send written details to affected patients, outlining breach and protective steps.
  • HHS Notification:
    • <500 individuals: Annual report to HHS.
    • ≥500 individuals: Immediate report via HHS portal.
  • Media Notification: For breaches affecting ≥500 individuals, notify local media.
6. Recovery
  • System Restoration: Validate and secure restored systems before resuming use.
  • Enhanced Security:
    • Implement stronger passwords, access controls, or encryption.
    • Provide additional HIPAA training.
  • Documentation: Jessica Lindberg compiles a full incident report.
7. Post-Incident Review
  • Evaluation: Dr. Way leads a review of the response to identify areas for improvement.
  • Policy Updates: Revise protocols based on lessons learned.
  • Compliance: Ensure documentation meets HIPAA standards (maintain for six years).
Responsibilities of All Staff
  • Complete HIPAA Secure Now training annually.
  • Report suspicious activity immediately to Jessica Lindberg or Dr. Aaron Way.
  • Follow security policies for handling ePHI.
Summary for Compliance and Protection
This procedure ensures:
  • Confidentiality, integrity, and availability of patient data.
  • Compliance with HIPAA standards.
  • A structured response to minimize risks and enhance security.