The HIPAA Breach Notification rule (§164.400 et seq.) requires you to take specific actions when faced with a breach incident. Sheldon-Dean outlines the following steps you need to take to evaluate and report breaches, as well as to properly document compliance incidents:
Report all breaches promptly to the individual, unless:
- The disclosure is one of the three exceptions to HHS’ definition of a breach at www.hhs.gov/hipaa; OR
- The PHI is encrypted using processes meeting the requirements of HHS guidance; OR
- A risk assessment determines that there is a low probability of protected health information (PHI) disclosure.
Determine whether there is a low probability of disclosure using a HIPAA breach risk assessment that considers four factors:
- The nature of the information (how detailed, how much identifying information, sensitivity, including the potential for “adverse impact” to the individual?);
- To whom the information was released (was it another healthcare provider?);
- Whether the information was accessed, used, or disclosed (was it discarded without reading?); and
- How you mitigated the incident (are there assurances that the information disclosed cannot be further used, disclosed, or retained?).
- Report breaches of PHI involving more than 500 individuals to HHS at the same time you report the breach to the affected individuals. If the breach involves fewer than 500 individuals, you must report it to HHS within 60 days of the end of the calendar year in which it occurred.
- Report breaches of PHI to individuals, HHS, and the public according to the applicable regulation (see www. hhs.gov/hipaa for details).
- Involve your organization’s counsel and senior management in any breaches that may be reportable under law, to ensure that you follow federal and state laws correctly when providing various notices and reports to agencies. Keep in mind that breaches of an individual’s information may also be subject to the state laws where the individual resides, and not just the state where your organization is located.
- Document all privacy and security incidents, breaches, and HIPAA breach risk assessments performed to determine whether an incident is a reportable breach. Include documentation of incidents in any compliance evaluation procedures or usage audit and activity review procedures, as appropriate.
- Develop and preserve information gathered in your investigation of security incidents to the greatest extent possible as potential evidence admissible in court, in case it’s needed in legal proceedings. Whenever possible, identify any individuals or entities that may be liable for harm caused by the incident.
Put These Policies & Procedures in Place
You must have procedures for reporting, processing, and responding to suspected or known information security incidents, Sheldon-Dean stresses. These procedures are essential for investigating, mitigating, and documenting security incidents, so that you can appropriately report and promptly handle security violations and breaches.
According to Sheldon-Dean, your procedures should identify:
- How to determine what qualifies as an “incident;”
- How to report incidents (including designating a person to whom incidents and alerts must be reported on 24/7 basis);
- The steps to take in investigating;
- The roles and responsibilities of the response team;
- The steps to take and information to include when documenting incidents;
- The steps to take to mitigate the effects of incidents (where possible and/or allowed by law);
- The steps to take to provide business recovery and continuity, including the use of adequate backup procedures;
- Who may release information about the incident and the procedures for doing so;
- To which entities incidents involving breaches must be reported;
- Who is authorized to release a system following an investigation; and
- How you should perform a follow-up analysis and who should participate.
To learn more about evaluating and reporting breaches—as well plotting out your organization’s security incident response plan—pick up your copy of TCI’s HIPAA Handbook 2017.