Bass, Berry & Sims attorney Elizabeth Warren authored an article outlining how healthcare organizations can respond to a data breach of medical records. While there are specific steps that organizations should follow after a breach has occurred, as Elizabeth points out in the article, "[t]he first step comes before a breach is even detected: Planning how an organization will respond saves critical time when a privacy or security incident is discovered." However, even with all the best possible planning, a data breach still may occur. Once a breach is detected, Elizabeth provides some fundamental steps for the organization to follow:
- Stop the breach
- Gather the facts surrounding the breach
- Notify affected individuals of the breach – be mindful of different federal and state deadlines
- Notify the U.S. Department of Health and Human Services' Office for Civil Rights
- Prepare any public notification about the breach
- Implement corrective measures to prevent future breaches
The full article, "Medical Records are Special; Protection Efforts Must Be, Too," was published by The Tennessean on June 7, 2016, and is available online.