What should I do?
Navigating the world of HIPAA can be difficult; and in the event of discovering a breach, many are unsure of how to proceed. According to the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), “a breach is an impermissible use or disclosure of protected health information (PHI).”
Covered entities are required to report a breach to the OCR within 60 days as well as conduct an internal assessment to determine the risk levels of the breach. Even one instance of breached PHI runs the risk of resulting in an audit. Devastating fines are oftentimes the result of disregarding the necessary steps due to negligence or inconvenience. Having a team of professionals on your side who understand HIPAA can make an immense difference in the handling and reporting of a breach. Breaches are going to occur; the question is, are you prepared to resolve them when they do?
We have your back
A client recently reached out to the Audit support team at HIPAA One asking for assistance in addressing a complaint filed against them to the OCR. A document containing PHI was mailed to the wrong patient, and the recipient filed a formal complaint. Upon hearing about the complaint and knowing the possible repercussions of a mishandled PHI breach, they contacted HIPAA One for support.
Our experienced team of professional auditors walked them through the process of filling out an incident response form (provided by us), conducting a risk assessment, and reporting the breach to the OCR. Because of the swift and thorough actions taken by this client, the OCR determined that they had done a complete investigation and no further action was necessary.
What did this organization do right? First and foremost, they acted quickly to remediate the issue. They recognized where there were gaps in their knowledge, and they sought the necessary help. They documented their actions, created a breach timeline, and notified the appropriate parties.
Critical steps to take following the discovery of a potential breach
If you have discovered a potential breach, it is first helpful to determine whether the breach is a security incident or a privacy incident. Generally, a security incident is a consequence of improper computer security policies or practices. All other incidents involving compromised PHI is more than likely a privacy incident. In general, security incidents have a much wider reach in terms of individuals affected and require extensive technical revisions to re-establish network security.
Once you have identified the type of breach, the next step would be to conduct a risk assessment. When conducting the analysis, you should consider the following questions:
- Did a breach actually occur?
- Whose PHI was involved and what is the possible level of harm to those affected?
- Who needs to be notified of the breach?
Documenting actions taken during this process is very important because this is information the OCR needs when notified of a breach. The OCR tries to gauge an organization's knowledge of the breach to determine if they acted with "willful neglect" during the remediation process. The table below explains the penalty tiers associated with these factors.
After completing the risk assessment, an organization should begin notifying the appropriate parties. This includes affected individuals, team members relevant to the situation, and the secretary of the U.S. department of Health and Human Services (HHS).
Prepare for a breach now, not after it happens
These are very basic steps on the process of discovering and reporting a breach, but the reality is that HIPAA laws can be confusing and complex, and it is difficult to know how they apply to your specific situation. One of the benefits of being a HIPAA One client is having access to our full-time audit support team to answer questions or help you begin the breach investigation process. Much like you are a professional in your respective industry, we understand the world of HIPAA enforcement. It’s what we do every day. To learn more about what to do in the event of a breach; or for any other questions regarding HIPAA compliance, contact us at [email protected] or visit our website to schedule an appointment.