Editor's note: This is the second in a three-part series about breach notifications. This installment focuses on handling breaches.
Your facility has a breach of unsecure PHI. What do you do?
In addition to following requirements spelled out in HHS' interim final rule on breach notification, consider these tips for handling the breach:
- Initiate an investigation immediately. The team leader, or point person, must be ready for action, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis' Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT. Immediately consider whether the organization needs to make a report to authorities. Ask the following questions: What information was potentially disclosed?; What technical safeguards were in place? How many people were affected? Could the information be used adversely against such individuals?
- Determine whether an exception to the notification requirement applies. Was the breach such that the person receiving the information would not be able to retain and use it? Was it an unintentional disclosure in good faith or an inadvertent disclosure to another individual at the same facility?
- Determine the need to notify the individual. Check the regulations contained in the HHS interim final rule and state breach notification laws. Consider whether notification could mitigate any harmful effects on the individual. If a patient's credit card or Social Security information was stolen, it may be appropriate to offer him or her credit monitoring services, Blustein says.
- Determine appropriate sanctions. Following through on appropriate internal sanctions can send a chilling message throughout your organization, Blustein says. "Also, if [the Office for Civil Rights] comes in, and something egregious occurred and you've done nothing about it, what are you doing about mitigating the problem in the future?" he says. Depending on the employee involved and the type of violation, consider offering additional HIPAA training, issuing a warning, putting the employee on probation or suspension, or, in extreme situations, terminating the employee.
Tomorrow, we will conclude the series with tips for how to proceed after a breach. All material comes from excerpts from the HCPro, Inc., white paper, "HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.