The next area we want to discuss is breaches – the cause of most audits. Almost all covered entities will have a breach in the privacy of protected health information (PHI). Ultimately, by ensuring you have enacted the appropriate policies and procedures, performed your risk analysis and management plan, developed appropriate technical and physical safeguards, and trained your employees, you are doing all you can to prevent these breaches from occurring. However, even with all of this, breaches still happen. In 2019, we saw a couple of instances where breaches occurred, but the subsequent patient and OCR notifications were not sent in the appropriate amount of time.
So what is a Breach?
The HIPAA regulations define a breach under section 164.402 of the HIPAA Regulations as follows:
Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] of this part which compromises the security or privacy of the protected health information . . .
The Breach Notification Rule Website at HHS Defines a breach as follows:
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information . . .
In general, a breach is an event where a person or entity sees or obtains protected health information (PHI) they had no legal reason to see. There are some exceptions to this, and the Pharmacy can conduct a risk assessment on the breach to determine if there is a low probability the PHI was compromised. If you go down the risk assessment route, we recommend enlisting the services of an attorney.
What do you do if you think you have a breach?
When there is a suspected breach, the Pharmacy’s Privacy Officer and management need to begin a process of investigating, identifying, notifying and preventing. This process (described below) will ensure the Pharmacy is doing all it can to identify and address the breach and prevent future breaches from occurring. Here is a general breach roadmap:
- Investigation: Investigate to determine if a breach of PHI did happen and if so, identify all the facts of the breach.
- Risk Assessment (optional step): If there was a breach, conduct a risk assessment of the breach to determine if there is a low probability that the protected health information was compromised.
- Patient Notification: Notify all of the affected patients within 60 days of discovery. The notification must include:• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
• A description of the types of Protected Health Information that was involved in the breach
• The steps patients should take to protect themselves from potential harm resulting from the breach
• A brief description of what the Practice is doing to investigate the breach, mitigate losses, and protect against further breaches
• Contact procedures for patients to ask questions or learn additional information (which will include a toll-free telephone number, e-mail address, website, or postal address)
- OCR Notification (Federal Government): Notify the OCR:
• Within 60 days of discovery for breaches of 500 or more
• Within 60 days of the end of the year (Feb 29, 2020) for breach of less than 500
- Media Notification: Notify the media within 60 days of discovery if the breach is of 500 individuals in the same State.
- State Notification: Follow any other requirements your State has related to breaches.
Concurrent to the notification process, you should also be following up with any other items identified during the investigation and making all of the necessary changes to your operation to prevent a similar breach from occurring again in the future. These steps could include:
- Collection of the breached PHI
- Mitigation of further Disclosures
- Determine if identity theft protection should be purchased for those who have had the information breached
- Changes to Policies and Procedures
- Notification of Law Enforcement
- Employee Sanctions
- Employee Training
- Updates to Technologies
If you have PRS Pharmacy Services’ HIPAATrack Program and suspect you have a breach, you simply need to start the process by following the Policy and Procedure: Suspected Violations and Breaches (if you are using the PRS HIPAATrack Program – members can login here).