The FortiSOAR HIPAA Framework Solution is created to assist individuals in adhering to the regulations outlined in the HIPAA Breach Notification Rule when dealing with a breach involving unsecured PHI/ePHI (Protected Health Information/Electronic Protected Health Information). This article outlines the essential steps for managing a breach of PHI and aligns these steps with a dedicated playbook designed to streamline and structure the response to such incidents, ensuring a well-coordinated and efficient approach.
Actions:
Incident Reporting: If "Was Personal Data Affected?" is marked as "Yes", then this action is associated with the "Create Data Compliance Record" playbook, as it involves recording the breach incident.
Compliance Record Update: Completing tasks within 60 days in the HIPAA Assessment Data Compliance Record. This action aligns with the "Update Description of Compliance Record" playbook for maintaining compliance records.
Risk Assessment: Submitting risk assessment details. This action is linked to the "Get HIPAA Risk Assessment Information" playbook for collecting and submitting risk assessment information.
Contact Information: Providing contact details for HSO (HIPAA Security Officer) and CE (Covered Entity). This action corresponds to the "Get Covered Entity and HSO Contact" playbook for obtaining necessary contact information.
Notification to HSO: Sending an email notification to HSO. This action is part of the "Notify Individuals Affected by PHI Breach" playbook, involving notifying relevant individuals, including the HSO.
Technical Fixes: Applying technical fixes and submitting details. This action is associated with the "Perform Actions to Apply Technical Fix" playbook, focusing on addressing technical issues related to the breach.
HHS Notification: Notifying the Secretary of HHS about the breach. This action aligns with the "Report PHI Breach to Law Enforcement Agency" playbook, which includes reporting the breach to appropriate authorities.
Law Enforcement Report: Reporting the breach to the law enforcement agency. This action is also part of the "Report PHI Breach to Law Enforcement Agency" playbook, directly involving notifying law enforcement.
Delay Confirmation: Confirming if law enforcement requested a delay in notifying affected individuals. This action can be linked to the "Confirm Law Enforcement Delay Request" playbook, which verifies and responds to law enforcement requests.
Affected Individuals List: Compiling a list of affected individuals and uploading their contact details in CSV format. This action is associated with the "Create List of Affected Users" playbook, involving preparing a comprehensive list of affected individuals.
Email Notifications: Notifying affected individuals via email. This action is a key part of the "Notify Individuals Affected by PHI Breach" playbook, focusing on email notifications.
Alternative Notifications: Notifying affected users using alternative methods if contact information is outdated. This action is also part of the "Notify Individuals Affected by PHI Breach" playbook, addressing alternative notification methods.
Media Notification: Providing notice to media outlets if more than 500 individuals were affected. This action is associated with the "Notify Individuals Affected by PHI Breach" playbook, which includes notifying the media in the case of a large-scale breach.
See https://fortisoar.contenthub.fortinet.com//detail.html?entity=hIPAAFramework&version=1.0.0&type=solu...
