Kim R esearch organizations that are con- sidered covered entities as defined by the Health Insurance Portability and
Accountability Act (HIPAA) must establish
effective programs that regularly evaluate and
mitigate HIPAA Privacy and Security risks.
The advancement of technologies requires
entities to deploy increasingly sophisticated
strategies to effectively monitor and secure
their information to minimize exposure.
Although many covered entities have devel-
oped programs to mitigate these risks, they
continue to experience breaches as a result of
hacking or IT incidents, improper disposal,
loss, unauthorized access or disclosure, or
theft.1 Covered entities should be prepared
to investigate and handle any HIPAA breach
notifications that may arise (including those
from business associates) to ensure prompt
reporting to the Office for Civil Rights
(OCR) and applicable research-related
regulatory authorities, sponsoring
agencies, and any affected research
participants within specified time
periods. In the case of large-scale
breaches that impact more than 500
individuals, additional steps are neces-
sary that require a response team to
effectively meet requirements of the
HIPAA Breach Notification Rule under
the Health Information Technology
for Economic and Clinical Health
(HITECH) Act.2 This article highlights
best practices and practical planning
considerations for research organiza-
tions to effectively handle large-scale
Too large to handle? Assemble a task force
Ensuring that potential HIPAA breaches are
reported to responsible organizational officials
as soon as possible is critical in order for organizations to quickly gather facts and perform
a HIPAA breach analysis, because the clock
starts ticking at the point of discovery. When it
by Emmelyn Kim, MA, MPH, CCRA, CHRC; and Cynthia Hahn
Best practices for handling
large-scale HIPAA breaches
» Assemble a task force involving multiple stakeholders to handle large-scale breaches.
» Plan ahead for any required notifications to required entities.
» Develop a robust corrective and preventive action plan.
» Prepare for Office for Civil Rights (OCR) investigations and interactions.
» Continue to monitor and evaluate organizational risks.
Emmelyn Kim ( email@example.com) is Assistant Vice President, Research
Compliance & Privacy Officer at The Feinstein Institute for Medical Research,
Northwell Health in Great Neck, NY.
Cynthia Hahn ( firstname.lastname@example.org) is President of Integrated
Research Strategy, LLC in East Northport, NY.