Editor’s note: This is the third in a three-part series about breach notifications. Part one focused on how to prevent breaches. Part two tackled how to handle breaches. This installment offers some final tips if a breach occurs. focused on how to prevent breaches.
Now that you’ve followed protocol—the government’s and your facility’s—consider these final checklist items for after you respond accordingly to a breach.
They are offered by Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis’ Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT:
- Incorporate lessons learned into existing procedures (were internal reporting and investigation fast and efficient?)
- Include the breach on the annual log reported to HHS
- Modify policies as necessary
- Reeducate staff members regarding lessons learned
- Look for repeating patterns (e.g., one patient area that has multiple incidents)
- Include the unauthorized disclosure on the accounting of disclosures
- Include any sanctions on the HIPAA sanctions log
- Ensure that investigation notes and reports were appropriately detailed and that they are maintained
HHS has said it will not enforce breach notification provisions until February 2010—or 180 days from the publication of the interim final rule—but HITECH states that covered entities (CE) are subject now to penalties for noncompliance.
CEs should have breach response systems in place already, says Chris Simons, RHIA, director of UM and HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME.
However, if CEs still need to work on their policies, they should focus their energies on making sure staff members understand the process for and importance of prompt reporting.
“If your staff doesn’t know who their privacy officer is, that’s a problem,” Simons says. “That’s a good starting place. Make sure staff knows what a breach is and who to report it to. They should be encouraged to immediately report even the suspicion of an issue.”
Document everything your organization does in response to a suspected breach, Simons adds. Conduct a risk analysis to expose your internal weaknesses. It could help you prevent a breach in the first place, which, after all, is the goal.
“What are your serious risks, and what are your minor risks?” Simons says. “How are you educating people, and are your policies and procedures in place? Get out there and do your rounds to see what’s going on and see if you hear things.”
This series contained excerpts from the HCPro, Inc., white paper, “HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations.”
Dom Nicastro is a senior managing editor at HCPro, Inc. in Marblehead, MA. He edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. E-mail him at dnicastro@hcpro.com.
Editor’s note: This is the second in a three-part series about breach notifications. This installment focuses on handling breaches.
Your facility has a breach of unsecure PHI. What do you do?
In addition to following requirements spelled out in HHS’ interim final rule on breach notification, consider these tips for handling the breach:
- Initiate an investigation immediately. The team leader, or point person, must be ready for action, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis’ Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT. Immediately consider whether the organization needs to make a report to authorities. Ask the following questions: What information was potentially disclosed?; What technical safeguards were in place? How many people were affected? Could the information be used adversely against such individuals?
- Determine whether an exception to the notification requirement applies. Was the breach such that the person receiving the information would not be able to retain and use it? Was it an unintentional disclosure in good faith or an inadvertent disclosure to another individual at the same facility?
- Determine the need to notify the individual. Check the regulations contained in the HHS interim final rule and state breach notification laws. Consider whether notification could mitigate any harmful effects on the individual. If a patient’s credit card or Social Security information was stolen, it may be appropriate to offer him or her credit monitoring services, Blustein says.
- Determine appropriate sanctions. Following through on appropriate internal sanctions can send a chilling message throughout your organization, Blustein says. “Also, if [the Office for Civil Rights] comes in, and something egregious occurred and you’ve done nothing about it, what are you doing about mitigating the problem in the future?” he says. Depending on the employee involved and the type of violation, consider offering additional HIPAA training, issuing a warning, putting the employee on probation or suspension, or, in extreme situations, terminating the employee.
Tomorrow, we will conclude the series with tips for how to proceed after a breach. All material comes from excerpts from the HCPro, Inc., white paper, “HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations.”
Editor’s note: This is the first in a three-part series about breach notifications. The first installment focuses on preventing breaches.
The U.S. Department of Health and Human Services (HHS) on August 19 released its interim final rule on breach notification of unsecure protected health information (PHI) and the acceptable methods for covered entities (CE) and business associates (BA) to encrypt and destroy patient records in order to prevent breaches.
The PHI breach notification regulations took effect September 23. However, HHS will not enforce the rule until February 22, 2010, or thereabouts.
Although CEs and BAs should have breach notification policies in place, they must also know how to prevent breaches.
“You don’t get to the HITECH until you have a privacy breach,” says Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis’ Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT. “If you have good things in your privacy program, you should never get to it.”
Consider Blustein’s tips for how to prepare for a breach so it doesn’t happens:
- Establish appropriate technical safeguards to protect patient information. Require encryption for laptops and other portable devices. Establish remote access roles specific to applications and business requirements. Prohibit the installation of unsecured “homemade” software on laptops. Develop policies regarding the protection of patient information transmitted from remote locations.
- Discuss with vendors their responsibility for protecting patient information. Vendors who are BAs must enter into an agreement with the CE. Further, contact each of your vendors and discuss appropriate safeguards to protect your PHI. If your BA is an agent of the CE, the CE is considered to have notice of the breach at the time the BA has notice. Make clear the lines of communication and responsibility between you and your BA.
- Perform routine audits of employee access to PHI. Let employees know you are conducting the audits. Inform them that you intend for the audits to revitalize the organization’s policy.
- Establish a security incident response team. Assign an individual to be responsible for organizing responses to security incidents. Appoint a core team to conduct the investigation (e.g., representatives from IT, HR, risk management, legal, and security departments). Include technical and administrative staff members, as well as staff members directly involved in the incident. “You can’t do this on the fly,” Blustein says. Build your team carefully and conduct mock breaches.
- Prepare written policies that address the process for internal reporting. Consider what potential breaches need to be reported internally and to whom individuals should report these violations. Set time frames for reporting. “In some cases, you don’t want to wait for the investigation team’s full report,” Blustein says. “Sometimes you want a flash report.” Educate staff members and publicize an actual breach in the organization as a teaching moment. Don’t keep it quiet.
Tomorrow, we will discuss handling a breach at your facility and then conclude the series the following day with tips for how to proceed after a breach. All material comes from excerpts from the HCPro, Inc., white paper, “HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations.”
Dom Nicastro is a senior managing editor at HCPro, Inc. in Marblehead, MA. He edits the HIPAA Update blog and Briefings on HIPAA and Health Information Compliance Insider newsletters. E-mail him at dnicastro@hcpro.com.
If you think your facility is safe because of strong breach prevention programs, think again. It can happen — anywhere, from one simple mistake.
Q: How does CMS handle a Health Insurance Portability and Accountability Act (HIPAA) complaint once received?
A: Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures to verify that they are compliant with the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is not compliant and has failed to correct their systems.
This Q&A is adapted from the CMS FAQ website page. To view this and other FAQs click here.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!