A practice that isn't careful may take steps that become fodder for an auditor or disgruntled patient suing for breach of privacy, said Breen.
"If a data breach does occur, the covered entity needs to keep in mind that its own investigation and documentation of the outcome could be used against it," Breen warns. He has seen several situations where the provider's actions after the breach have backfired.
"It's similar to billing audits. The paper you are creating and the message you are sending are critical and can adversely impact you," Breen points out.
Have a response plan in place before you suffer a security breach. "If you haven't thought it through before a breach, you're at a disadvantage," says Breen. For instance, you should have an action plan that includes what resources you may need to go to, such as law enforcement, who should be part of the investigation, who should sign any notification letters to patients, and the like. "There are more challenges if you're not prepared," he says.
Consider conducting a fire drill or spot checks to avoid vulnerable areas. For instance, check your inventory of portable media see if your computers automatically shut off for inactivity, says Breen. It's always better to prevent a breach from occurring if possible and shows that you're periodically assessing the risk of a breach, which is required by HIPAA.