University Medical Center Relies on Radar® Privacy for Compliance with HIPAA and U.S. State Data Breach Laws

University Medical Center Relies on Radar® Privacy for Compliance with HIPAA and U.S. State Data Breach Laws

A major midwest university medical center with a strong culture of compliance faced an escalating number of privacy and security incidents.

The growing privacy team needed a better way to track, manage, and assess incidents. In addition, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) was emphasizing that every incident was considered a breach unless a multi-factor risk assessment determined there was low probability that Protected Health Information (PHI) had been compromised. This made the push for an objective, consistent process for risk assessment critical for the organization if they wanted to avoid becoming a target for an OCR audit.

Challenges

The medical center was painstakingly using spreadsheets to track incidents. Documenting each incident was a manual and inconsistent process, and decisions were often based on individual perceptions. For greater consistency in decision making, the compliance team implemented a process template to risk assess incidents, but it wasn’t offering definitive decision-support or consistent guidance and it remained difficult to keep up-to-date with ever-changing data breach notification laws.

Additionally, the number of privacy and security incidents reported within the organization was growing. Factoring OCR’s emphasis on performing consistent, compliant multi-factor risk assessments for every incident, the medical center needed a better process for tracking, managing, and objectively assessing incidents while capturing the necessary documentation to support their burden of proof and ultimately to ensure compliance.

Radar® Privacy: Consistent, Efficient, Objective

The compliance team turned to Radar® Privacy’s incident response management software to automate their incident risk assessment process, creating an objective, standardized, and defensible accounting of their decisions. Instead of relying on spreadsheets and opinions, the privacy team now has an automated, efficient process for assessing incidents in accordance with data breach notification laws.

As a result, they can:

-> Demonstrate a consistent method for breach determination using RadarFirst’s Breach Guidance Engine™.

-> Automatically assess incidents against the latest regulations, thanks to Radar’s built-in, always up-to-date guidelines for U.S. federal, state, and international breach notification laws.

-> Provide strong decision support and documentation for internal investigations and audits.

-> Reduce documentation time by 75 percent and easily create reports for OCR.

-> Track, analyze, and monitor their privacy program for continuous improvements and identify trends such as types of incidents (e.g. ransomware, misdirected mail, or device theft).

“Radar® Privacy is a perfect example of why I’m a big fan of outsourcing,” said the medical center’s HIPAA security officer. “We can leverage the expertise of industry professionals using software that doesn’t require IT support.“

Radar® Privacy helps ensure timely reporting to all agencies—not just OCR or state Attorneys General. As an institution that receives federal funds, the university medical center is part of the Internet gateway for federal financial aid. This requires certain incidents to be immediately reported to the Department of Education.

Increased insight through better reporting

Radar® Privacy’s incident submission web forms make it easier for employees across the organization to report incidents. “Using Radar® Privacy allowed us to capture all privacy incidents being internally reported to the privacy team,” the HIPAA security officer said.

“A significant number of these incidents may have otherwise been missed. People think that having more incidents makes us a target for an audit, but in reality, it’s the opposite. We’re proving the system works.”

More complete tracking of incidents means more accurate reporting of trends. With Radar® Privacy’s reporting capabilities the compliance team can easily see what the top privacy incidents are—and their causes. By identifying areas for improvement, the information from Radar® Privacy provides a basis for training across the organization.

“Radar® Privacy standardizes how we handle incidents, removing the subjectivity that comes with using manual processes. Not only that, RadarFirst is helpful in defending our decisions regarding breach notification.

Before Radar® Privacy, we would spend hours to document and set up reporting for each incident. Now we can complete the same tasks in a fraction of the time.”

– HIPAA Security Officer, University Medical Center