What is our responsibility if there is a potential breach of unsecured PHI from our EHR?
After learning of a potential breach of unsecured PHI from your EHR, you should perform the following activities;
Contain and eradicate the use or disclosure of additional data: The strategy to contain and eradicate further impermissible uses or disclosures of unsecured PHI depends on the nature of the breach. If the breach is the action of inappropriate actions of workforce members, such as searching through medical records that they are not authorized to view, then the response should be appropriate to stop any further impermissible uses and disclosures in accordance with your organization's policies and procedures for such violations. However, if the breach is due to a hacking of your system, the conditions that allowed the data theft to occur may still be present in your systems and the theft may be ongoing. The hacker may have left applications on your system that will allow the hacker entry in the future. The hacker may have stolen passwords that can be used in the future. A prudent first step should be to remove (if possible) any Internet connectivity from your systems. You should expect your EHR vendor to assist you to identify how the loss occurred and provide guidance in how to stop any ongoing losses. It may be necessary for your technical support staff to contact security specialists for forensic analysis and direction.
Restore full system operations: Bring systems back online once your technical support staff or independent security consultants can certify that the corrective action(s) has been taken to prevent a re-occurrence of the exploit.
Recover the assets. It is rarely possible to recover stolen information. The best to expect is that the culprits can be caught. Report the breach to the appropriate law enforcement officials.
Conduct a risk assessment and provide notifications. If a potential breach is suspected, you should perform a risk assessment to determine the nature of the breach. Based on the assessment, appropriate notifications should be provided to patients, the media, state government, and the Secretary of Health and Human Services.
E-mail the HealthIT e-mail box: firstname.lastname@example.org