Dealing with Disaster

Manage the Damage of Data Breach

Imagine this — It’s a Friday morning and you’re sitting at your desk savoring the last drops of your morning coffee. A call is transferred to your office, so you answer the phone.
Within the next two minutes, you learn that a patient has had her credit card information stolen, and it appears it may have happened in your office. You hear a tone and look down to realize your phone is displaying another call on hold. Almost at the same time, there’s another.

It’s not going to be a normal Friday. In fact, you will probably be working all weekend.
Not only do you have stolen credit card information to deal with, but you also have a HIPAA data breach.

Where do you go from here?
The first place to start is to contact your credit card vendor immediately and alert them to the issue. There is likely a protocol they follow for this situation that should guide you through the next steps to cope with the aftermath of the stolen information.

How do you deal with angry patients and HIPAA?

Here are some Tips:

— Alert your phone operators there may be a surge in calls

Decide in advance what to do if you are hit with a tidal wave of calls.

  • Should operators transfer all the calls to you?
  • Direct them to a voicemailbox?
  • Take messages?

— Prepare a short script for staff interacting with patients

Advise phone operators right away there is a problem and create a short script to give them language to help manage (potentially angry) patients. This way, you can control the messaging about the issue and disseminate consistent information..

— Start making notes and update them throughout the crisis

Include any relevant information – such as the date and time you discovered the issue and all the steps you take to rectify the situation. Information in your notes should include: the time and date of patient calls reporting the problem, any actions which are made by the credit card company to minimize and remedy the breach, the date and content of any written communications to patients, etc.

— Report the breach

For specific information on HIPAA breaches and reporting requirements, visit Generally, you will need to notify both patients and the Secretary of the incident. The size of the breach will determine the specific reporting requirements.

— Create and execute an action plan to prevent the breach from happening again

The language of HIPAA is intentionally broad because it covers such a wide range of healthcare scenarios. The main thing to bear in mind whenever there is a HIPAA breach is that you need to demonstrate the problem has been acknowledged, reasonable steps have been taken to rectify it, and work will continue in the future to ensure the breach never happens again.