I recently presented on the topic of Healthcare Data Breaches–A to Z at the annual American Society for Healthcare Risk Management (ASHRM) conference in Phoenix.  Attendees at any conference are always looking for practical takeaways to share with their colleagues and to help guide them even before a crisis event occurs.  During my presentation, with the hope that at least one of the tenets would be helpful to tackle the constantly evolving data breach legal landscape, I gave the audience my A to Zs for healthcare organizations.  Many of these will seem like common sense, but in my experience, there are a number of organizations who still do not recognize the importance of each of these.  Since the ASHRM conference, I have received many requests for my list and decided to publish them here:

A – Accept that it will happen to you

B – Breach response policies are not only mandatory, they are helpful

C – Compliance with policies and procedures is critical

D – Data breach Fridays–the breach call always comes in at 6pm on a Friday

E – Empathize with your customers/patients/employees–how are they going to react to your response?

F – Familiarize yourself with the members of your breach response team before the breach occurs

G – Government has its hands in everything when it comes to privacy


I –  IT is not the only one responsible for breaches– it is a C-suite issue

J – Joint Commission may ask you about your healthcare breach

K – Kids’ information is sensitive to parents no matter how low level you may think it is

L – Legal landscape is constantly changing

M – Mitigation of harm (credit monitoring, identity monitoring, reissued credit cards)

N – Notice to the media needs to be carefully considered even when required by law and your PR firm may not be in the best position to advise you

O – Overreacting is not going to get you through the event

P – Preparedness is key 

Q – Quit keeping old data

R – Risk of harm analyses should be documented

S – Social media policies should be in place

T – Transparency is expected by regulators and customers

U – Understand the laws that impact your organization

V – Vendors cause about 1/3 of the breaches

W – Wait to see what you are dealing with before you announce a breach to the world

X –  X-rays are being stolen to be melted down for their silver content, but you may still need to notify the patients affected because the sleeves often contain PHI

Y – Yesterday’s events can’t be changed–get over it, look forward, and change your practices

Z – Zealously investigate your breach–it will help you in the end

Building these principles into your organization’s philosophy as it bolsters its data security and privacy policies and procedures will help you when an event occurs.  Consider updating your breach response/incident response plans, written information security plans, social media policies, portal agreements, vendor contracts, and risk assessments.   An increasing number of clients are also requesting tabletop exercises or workshops to help them prepare to respond to a breach.  The more prepared an organization is, and the more an organization’s C-Suite recognizes that this is not an IT-only issue, the better equipped organizations will be to respond to customers, lawsuits, and regulators.