Defining the Crisis
In 2011, Health and Human Services (HHS) launched new regulations inside the existing HITECH rules (see appendix). HHS now requires HIPAA covered entities to provide notification following a breach of unsecured patient health information (PHI). PHI is any data that contains patient sensitive information such as private demographics and/or medically relevant patient data. Similar breach notification provisions are also enforced by the Federal Trade Commission (FTC) and are appended to the rule. The requirement to notify includes communication to the media, the affected patient(s), and the HHS secretary. In addition, the offending company is required to provide ...view middle of the document...
For the purposes of the exercise, I seek to ensure we are not in denial, believing that the crisis will, “only happen to others”. Also, I want to be sure we have not intellectualized the crisis where we, “believe the probabilities are so small,” we need not worry about the outcome. In this case, the below chart helps to illuminate how this situation is destructive to our organization and why it should be taken seriously:
Economic Informational Reputational Physical
Decline in earnings from client loss Loss of needed patient data and client analysis Ill-will from patients and clients. Loss of laptop
Possible litigation from patients and clients as a result of data misuse. Public scrutiny and damage to reputation for future and existing client base. Loss of other equipment
Monetary loss associated to media operations and constant credit monitoring. Increased scrutiny from yearly auditors
The above paints a clear picture that this crisis is harmful and should be given an immense amount of respect. Going further, using the above information allowed me rationally place this problem in the crisis matrix. I estimated the Crisis Impact rating to be nine and the Crisis Probability rating at six. The probability is closely associated to latest rash of laptops being stolen around the country. This places our data breach scenario well within the Red Zone where we should, “explore every conceivable way to get out of it.” As we discussed in class, when we can control a leg of the matrix we should fight to move either the impact and/or probability in order to mitigate risk. In this case my objective is to move the overall rating from Red to Green by lessening the probability and impact through planning and prevention.
What key personnel are needed?
In order to address the crisis when it occurs, it is important to not only develop a plan but to also test the plan and keep it up to date. It is critical to develop a cohesive planning team which contains those resources whom have appropriate experience and talents relevant to the subject matter surrounding the crisis. I believe that for purposes of planning we will need to engage our HIPAA officer, operations managers, sales, helpdesk personnel, marketing, IT administration, procurement, and accounting. The key objective of planning team will be the prevention of the event. However, these same individuals will be paramount in helping to identify the crisis when it is occurring. By placing critical checks and balances across the organization as a result of planning, we can bolster the organization’s ability to minimize risk and identify the issue as it is occurring.
In responding to the crisis, I envision a command center lead by myself (CIO) with assistance from marketing (public relations), accounting (risk), client relations (account management), and compliance (HIPAA). Status would be provided on a daily basis back to the CEO and CFO. At the time of the crisis, this team would have access...