Even if your benefits are administered by a third party, you – as the plan sponsor – are ultimately responsible for data protection. You need every aspect of a potential security breach covered and that includes your communications plan.
That’s because your people, your business partners and – if it gets that serious – law enforcement, government agencies and the media will direct questions to you, even if you’ve outsourced benefits administration.
Have a question about breach communications? We can help.
No matter how good your data protection process, breaches can occur. When they do, it’s imperative that you know exactly who does what, when and why.
The communications component of the incident response plan is a guide for when and how to release information to stakeholders.
Defining roles should be a key part of your incident response plan.
Make sure you define who will:
To discuss role setting at your organization, get in touch.
Once you’ve defined roles and responsibilities, you’ll need to create:
You should also be prepared for incoming phone calls and media interviews.
We can guide you in preparing these materials. Contact us.
In 2013, the Department of Health and Human Services (HHS) modified the Privacy, Security Breach Notification and Enforcement Rules under the Health Insurance Portability and Accountability Act (commonly known as HIPAA).
This included certain rules related to breach communications for covered entities.
Under HIPAA, covered entities are:
If you're a covered entity, you need to follow a very specific breach notification process with the Office for Civil Rights (OCR).
Not doing so can have significant financial consequences.
Segal has developed a model OCR breach notification plan. For more details, get in touch.
Breach communications is only one component of your incident response plan. If you’d like to discuss and develop the full process, our cybersecurity incident response workshop equips you to:
Don't wait until it's too late.
Share this page