Privacy Officer's Roundtable

 View Only
  • 1.  Breach Drills

    Posted 02-18-2021 07:46 AM
    I am looking for some fresh ideas on conducting breach drills that involve all members of the breach committee?  Does anyone have a good process they're willing to share?

    Jim Parks
    Director of Compliance
    Summit Medical Group
    SCCE Membership

  • 2.  RE: Breach Drills

    Posted 08-10-2022 10:27 AM
    Edited by Stephen Hendry 08-10-2022 10:28 AM

    I don't have any suggestions but I just want to get some of the suggestions that you got through this forum.

    Stephen Hendry

    Mothers of Health, LLC
    SCCE Membership

  • 3.  RE: Breach Drills

    Posted 08-11-2022 08:08 AM
    I'm not familiar with a breach committee. I've participated in several round tables using a variety of examples to compare and contrast. I have always enjoyed hearing the different opinions and approaches.

    Brenda Manning JD, CHC, CHPC
    Privacy Counsel
    Maximus, Inc.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    SCCE Membership

  • 4.  RE: Breach Drills

    Posted 08-15-2022 12:15 PM
    At my previous job, we had a HIPAA Breach Assessment Committee consisting of the following:

    Compliance and Privacy Officer 
    Compliance Coordinator
    HIPAA Security Officer
    Director of HIM
    Director of HR

    The committee met as needed to assess all reported HIPAA incidents and determine the LoProCo of each.

    The membership provided a lot of insight, especially in complex incidents. It also kept the members, especially HR, in the loop if a breach was determined and corrective action of staff was implicated.


    Charles E. Colitre
    Healthcare Compliance Consultants
    PO Box19164
    New Franklin, OH 44319
    330-807-5499 (cell)

    SCCE Membership

  • 5.  RE: Breach Drills

    Posted 08-11-2022 06:29 AM
    One strategy I like and is often actually quite "enlightening" in watching the process play out is to initiate the drill by sending an email to the breach committee that an "impermissible" (access, acquisition, use, disclosure or AAUD) has occurred and that a decision to complete a breach risk assessment was made so the breach committee needs to meet/collaborate/etc to complete the breach assessment process.

    Here are two tips that I find work with organizations that do these drills or exercises from time to time:
    - Use a low volume breach (one affecting less than 500 individuals) on your first exercise
    - Identify what is a common area or source of breaches within your organization and use a related example for your drill

    Good luck and hope you get other suggestions to help you in your effort.


    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄

    SCCE Membership

  • 6.  RE: Breach Drills

    Posted 08-12-2022 06:00 PM
    I've not heard of a breach committee before and am most interested in hearing more about it if someone is willing to share information.  I could list of a long string of questions but will refrain from doing that at this point!

    Thank you so much!

    Jan Walton

    Jan Walton
    Director, Corporate Compliance
    Oaklawn Hospital

    SCCE Membership

  • 7.  RE: Breach Drills

    Posted 08-13-2022 07:42 AM
    It sounds like the Breach Committee is the group of individuals that may be contacted to assess if an impermissible is a breach.  I know in many organizations, breach risk assessments often fall on the shoulders of one individual, such as the Privacy Officer.  However, there are some organizations that take a team approach, based on the details and facts related to the incident, in reviewing a breach.


    Frank Ruelas

    SCCE Membership

  • 8.  RE: Breach Drills

    Posted 08-12-2022 12:59 PM
    As I posted this question over a year ago, I feel obligated to give an update on what we did.

    Our breach insurance vendor has breach scenarios that we can us and adapt for our situation.  I turned them into a powerpoint and we took 1 step at a time from knowing something had happened, to immediate reaction, data mining, temporary operational issues, thru final standing.  The members of our Breach Response Team are those who I chose would be initial contacts in the event of a breach.  They consisted of

    Privacy Officer, Legal, Accounting, IT, HR, Decision Support, Operations, Communications, Customer Service

    As we started (by conference call), I made sure everyone knew that we will be working out a situation that may occur over days or weeks.  With that said, I asked everyone to use their best judgement in the moment and we will not expect perfection as the real world scenario would provide more time in most cases.  I wanted everyone to be as relaxed as possible an not be put on the spot but to realize the goal is to make this a learning EXPERIENCE and something we can review and learn from to become better.

    As we worked thru the process, the next step would depend on the decision made.  So, nobody, not even myself as moderator/lead, knew, which kept things interesting!

    In summary, I was impressed with how everyone handled their particular areas and the suggestions they gave.  We all walked away with a renewed perspective of what our particular department would need to be ready to consider if/when we are placed in a scenario.

    Jim Parks
    Director of Compliance
    Summit Medical Group

    SCCE Membership

  • 9.  RE: Breach Drills

    Posted 08-15-2022 08:42 AM
    Hi @Jim Parks,

    Really appreciate your follow-through and providing us an update! It appears as though it was a worthwhile exercise that other professionals can use to better prepare for a breach! Thank you!​​

    Stephen (Steve) Pavlicek | Community Engagement Manager
    Society of Corporate Compliance and Ethics
    Health Care Compliance Association
    Office: 952.567.6219 | Mobile: 612.207.3172
    6462 City West Parkway | Eden Prairie, MN 55344

    SCCE Membership