Last week, I told you that HIPAA is back in the news. Didn’t get a chance to read why? Take a minute to read Part 1 of the HIPAA Readiness series — HIPAA Has Returned. So now that you know why HIPAA is such a hot topic, let’s continue on our HIPAA Readiness journey…
#2 What to do when you have a HIPAA breach.
Uh-oh! You believe there’s been a breach in your HIPAA security. Keep Calm & Do a Risk Assessment. The federal government requires different actions depending on the nature of the information compromised and the number of people affected. So, first, find out how bad the situation is.
You need to document your risk assessment and keep it on file for at least six years. In the best case scenario, you may find that the disclosure of patient health information (PHI) has been limited to acceptable uses or can be recovered. If there is a low probability that the PHI was compromised, you do not need to report a breach.
But, if a breach actually did occur, you need to notify each patient via first class mail, email if the patient has consented to electronic notices, or telephone—and as soon as possible—if there is any danger that the PHI can be used in a malicious way. If there are 10 or more patients you are not able to contact, you need to notify them publicly on your website or through the media.
In cases involving fewer than 500 individuals, the HITECH Breach Notification regulations require you to notify those patients within 60 days of discovering the breach. You must keep a log of such incidents and report them to the HHS Secretary annually, no later than 60 days after the end of the calendar year. Alternatively, you can report them as they happen at the new OCR Breach Portal. This online reporting process allows you to enter any information you have and add details as they become available. In cases involving 500 or more individuals, you must promptly (within 60 days of discovery) notify each patient, the HHS Secretary, and the media.
In addition to federal requirements, most states have their own laws regarding breach notification. The National Conference of State Legislatures has collected the state laws together here.
You can read more details about how to deal with a security breach on the HHS.gov site. Better yet, you can get everything you need for a strong HIPAA Compliance Program and Risk Assessment from PRS. Click here to learn about all of our COMPLIANCETrack programs.