A major midwest university medical center with a strong culture of compliance faced an escalating number of privacy and security incidents.
The growing privacy team needed a better way to track, manage, and assess incidents. In addition, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) was emphasizing that every incident was considered a breach unless a multi-factor risk assessment determined there was low probability that Protected Health Information (PHI) had been compromised. This made the push for an objective, consistent process for risk assessment critical for the organization if they wanted to avoid becoming a target for an OCR audit.
The medical center was painstakingly using spreadsheets to track incidents. Documenting each incident was a manual and inconsistent process, and decisions were often based on individual perceptions. For greater consistency in decision making, the compliance team implemented a process template to risk assess incidents, but it wasn’t offering definitive decision-support or consistent guidance and it remained difficult to keep up-to-date with ever-changing data breach notification laws.
Additionally, the number of privacy and security incidents reported within the organization was growing. Factoring OCR’s emphasis on performing consistent, compliant multi-factor risk assessments for every incident, the medical center needed a better process for tracking, managing, and objectively assessing incidents while capturing the necessary documentation to support their burden of proof and ultimately to ensure compliance.
The compliance team turned to Radar® incident response management software to automate their incident risk assessment process, creating an objective, standardized, and defensible accounting of their decisions. Instead of relying on spreadsheets and opinions, the privacy team now has an automated, efficient process for assessing incidents in accordance with data breach notification laws.
As a result, they can:
“Radar is a perfect example of why I’m a big fan of outsourcing,” said the medical center’s HIPAA security officer. “We can leverage the expertise of industry professionals using software that doesn’t require IT support.“
Radar helps ensure timely reporting to all agencies—not just OCR or state Attorneys General. As an institution that receives federal funds, the university medical center is part of the Internet gateway for federal financial aid. This requires certain incidents to be immediately reported to the Department of Education.
Radar’s incident submission web forms make it easier for employees across the organization to report incidents. “Using Radar allowed us to capture all privacy incidents being internally reported to the privacy team,” the HIPAA security officer said.
“A significant number of these incidents may have otherwise been missed. People think that having more incidents makes us a target for an audit, but in reality, it’s the opposite. We’re proving the system works.”
More complete tracking of incidents means more accurate reporting of trends. With Radar’s reporting capabilities the compliance team can easily see what the top privacy incidents are—and their causes. By identifying areas for improvement, the information from Radar provides a basis for training across the organization.
Radar is the only solution with automated risk scoring and breach notification decision-support, helping you avoid the pitfalls of over- and under-notifying.
"Radar standardizes how we handle incidents, removing the subjectivity that comes with using manual processes. Not only that, Radar is helpful in defending our decisions regarding breach notification.
Before Radar, we would spend hours to document and set up reporting for each incident. Now we can complete the same tasks in a fraction of the time."
- HIPAA Security Officer, University Medical Center