The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What is our responsibility if there is a potential breach of unsecured PHI from our EHR?

After learning of a potential breach of unsecured PHI from your EHR, you should perform the following activities;

Contain and eradicate the use or disclosure of additional data: The strategy to contain and eradicate further impermissible uses or disclosures of unsecured PHI depends on the nature of the breach. If the breach is the action of inappropriate actions of workforce members, such as searching through medical records that they are not authorized to view, then the response should be appropriate to stop any further impermissible uses and disclosures in accordance with your organization's policies and procedures for such violations. However, if the breach is due to a hacking of your system, the conditions that allowed the data theft to occur may still be present in your systems and the theft may be ongoing. The hacker may have left applications on your system that will allow the hacker entry in the future. The hacker may have stolen passwords that can be used in the future. A prudent first step should be to remove (if possible) any Internet connectivity from your systems. You should expect your EHR vendor to assist you to identify how the loss occurred and provide guidance in how to stop any ongoing losses. It may be necessary for your technical support staff to contact security specialists for forensic analysis and direction.
Restore full system operations: Bring systems back online once your technical support staff or independent security consultants can certify that the corrective action(s) has been taken to prevent a re-occurrence of the exploit.

Recover the assets. It is rarely possible to recover stolen information. The best to expect is that the culprits can be caught. Report the breach to the appropriate law enforcement officials.
Conduct a risk assessment and provide notifications. If a potential breach is suspected, you should perform a risk assessment to determine the nature of the breach. Based on the assessment, appropriate notifications should be provided to patients, the media, state government, and the Secretary of Health and Human Services.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed