Data breaches in healthcare are raising alarm. Nearly 20 million patient health records have been compromised in the past two years, according to the U.S. Department of Health and Human Services (HHS).


The American Hospital Association brought together senior executives from healthcare, information security, compliance, and legal disciplines to discuss best practices around creating a culture of patient privacy compliance. The panel was clear in their direction—build a team and leverage an interdisciplinary incident response team.

Encrypt, encrypt, encrypt!
Kimberly B. Holmes, Esq., deputy worldwide product manager - health care, Chubb Group of Insurance Companies

"While there currently are no federal minimum standards or guidance around the quality and level of encryption that should be implemented to secure PHI, having some form of encryption applied to all PHI, and especially to PHI that is stored on mobile/portable devices, mitigates the risk of potentially serious HITECH fines/penalties when a breach occurs."

Prepare for a breach.
Cheryl A. Parham, Esq., associate general counsel, New York-Presbyterian Hospital

"Identify first responders with knowledge of your organization as well as the rules regarding notification and reporting. When a breach occurs, find out the facts first, then respond—but do it timely!"

Have a privacy and security compliance assessment carried out every year.
Doug Pollack, CIPP/US, chief strategy officer, ID Experts

"A key action for your healthcare organization to reduce your risks of being fined by the Office for Civil Rights (OCR) is to have a privacy and security compliance assessment carried out every year, and to clearly document the remedial actions that you've taken to address the most severe patient data privacy risks that were identified."

Find the gaps and close them.
Meredith Phillips, MHSA, CHC, CHPC, chief privacy officer, Henry Ford Health Systems

"When engaging with OCR, be a partner and show that you are being proactive. When we look at our programs, we see where there are some gaps and we tell OCR what we are going to do to fix the gaps and report back. We want to show that we are taking action to correct any issues."

Prevention efforts, preparation, and a well-executed response plan.
Marcy Wilder, co-chair of the Global Privacy and Information Group at Hogan Lovells

"Prevention efforts, preparation, and a well-executed response plan can go a long way toward mitigating the financial, legal and reputational harm that a security incident involving patient information can cause. Whether a breach begins with an external attack, employee malfeasance or an innocent mistake, an organization's initial response can help minimize harm to affected individuals and manage the risks to which an institution is exposed. To start, have a written post-breach response plan ready and tested before a breach happens."