Want to share this?

They say no news is bad news, and what you don’t know can’t hurt you. These and other maxims are fine if you’re an ostrich with its head in the sand. For privacy-minded healthcare organizations, a better truism applies: Knowledge is power—especially when it comes to privacy incidents involving sensitive patient and member information.

HIPAA compels covered entities and their business associates to consistently risk assess every incident in their organization. Beyond compliance, however, incident management information serves as a catalyst for action. The ability to track and analyze incident trends over time gives you insight for making impactful improvements.

For example:

  1. A greater volume of incidents may show that your employee training is working. Privacy training has a somewhat surprising benefit— more incident reporting. You may even see an increase in the number of incidents being reported, but a decrease in the number of reportable breaches.
  2. Regular, real-time reporting lets you respond to problems from the start. Say you notice a month-over-month increase in incident volume. The privacy team can investigate the source of the increase—such as from a particular department or location—and mitigate the problem with timely reminders and training.

Tracking and risk assessing incidents is essential to establishing an effective incident management program and to demonstrating compliance to OCR and other regulators. Yet with data and systems sprawled across locations and departments, efficient, consistent incident response management is extremely difficult.

Inconsistency leads to subjectivity which leads to the possibility of under- or over-reporting breaches. You may provide unnecessary notification or fail to notify where it is required. Either way, you risk regulatory action, diminished reputation, and potential harm to patients and members.

Automating incident management creates timely, consistent processes

There is hope, as healthcare and other industries increasingly realize the need to accelerate efficiency in privacy incident management. A daunting task as privacy demands increase for organizations and there are significant gaps in hiring. 

The most recent IAPP-EY Annual Governance Report notes that privacy is hiring, but it’s not enough. And the privacy function responsibilities continue to expand. 

The only way to keep up with the growing demands of privacy is through automating incident management. 

Thanks to technology, covered entities and business associates can automate every phase of the incident management process—from tracking to risk assessment, and to notifying. 

Costs go down, accuracy goes up, and your privacy team can scale its program with confidence. With greater consistency and efficiency, breach notification decisions are objective rather than subjective. And better incident tracking improves your reporting, so you can more proactively identify areas for improvement.

Top health insurer speeds incident response management and cuts costs

A Fortune 50 insurance company with millions of members faced many of the above challenges—a massive workload, an inefficient risk assessment process that included time spent researching laws and gathering documentation, and limited visibility into the volume and location of incidents across their organization.

The company had several choices to address their needs: an in-house database, their existing GRC platform, or RadarFirst incident management solution. Only Radar provided the functionality—including built-in HIPAA and state laws—that could meet all of the insurer’s immediate and long-term needs.

“RadarFirst is a huge time saver…All the federal regulations and state laws are in one place and kept up-to-date. In the past, our incident risk assessments were painfully slow.” — Privacy Executive, Fortune 50 health insurer

RadarFirst has reduced input hours, provided more accurate incident data, and helped automate incident risk assessments for more consistent decision-making. 

Consistency and better reporting let the privacy team analyze the incident workload and increase the capacity to respond to those incidents. 

Radar’s integration with the GRC system will enable both privacy and security to report incidents and collaborate so the insurer can reduce risks to sensitive customer data across the organization.

Triple Play: Save Time, Improve Efficiency, and Cut Costs