As of today, there have been 1694 data breaches reported to The Department of Health and Human Services, which have impacted over 168 million individuals. The numbers continue to increase at a rapid pace with a clear concern for data breaches in 2016 and continuing forward into 2017. The final breach notification rule requires that healthcare organizations conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.” What does that actually mean and how do you prove “low probability?”
To start, a Breach risk assessment should be completed on each unauthorized use or disclosure of protected health information. As part of the breach risk assessment, four objectives questions must be asked and answered Every Time an investigation is completed:
Phew, you answer these question and you now have all the documentation you need to evaluate the potential breach and submit information to the federal government if it is determined that a breach occurred. WRONG!!! Many more data elements must be collected during the investigation in the event that a data breach needs to be reported to DHHS. The notification submission method for a data breach from the Secretary of HHS was recently updated – which has more clear data elements and requirements for reporting purposes. Understanding the data elements that must be reported is the foundation of creating a proper method for investigating and documenting a data breach. With the updated reporting form, covered entities and business associates must be ready to report all of these data elements:
If you are not collecting all these data points each time you are completing an investigation, you run the risk of not having all the accurate data and potentially have to repeat the investigation. Create a process that assures collection of all required data elements needed for breach reporting up front so you don’t have to repeat work and run the risk of extending past the 60-day investigation and notification timeline!
In addition to collecting information for reporting purposes, you must also collect data as your ‘burden of proof’. The administrative component of the HIPAA Breach Notification requirements states that covered entities and business associates have to maintain documentation demonstrating that an investigation took place and the outcome of the investigation. The following is the documentation that needs to be maintained.
If a breach occurred, the covered entity must maintain documentation that shows all notification were made and who they were made to, the date of the notification and the content of the notification. If alternate notification occurred, the covered entity should document the type of notification and to which individuals that notification was provided to.
If a breach did not occur, but an investigation was completed, a covered entity needs to maintain documentation of the breach risk assessment, documentation on why the decision was made of a low probability that the information was compromised occurred, and the application of any of the breach notification exceptions and why the exception applied.
Don’t get in the habit of doing duplicate work – collect all the data elements up front. Check out the new and improved Data Breaches Impacting Greater than 500 Individuals website.
Prepare, Document, and Take Action!
50% Complete
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.