Eight Tips to Polish Your Hospital's Patient Breach Response

Editor's note: This is the third in a three-part series about breach notifications. Part one focused on how to prevent breaches. Part two tackled how to handle breaches. This installment offers some final tips if a breach occurs. 

Now that you've followed protocol—the government's and your facility's—consider these final checklist items for after you respond accordingly to a breach.

They are offered by Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis' Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT:

• Incorporate lessons learned into existing procedures (were internal reporting and investigation fast and efficient?)


• Include the breach on the annual log reported to HHS


• Modify policies as necessary


• Reeducate staff members regarding lessons learned


• Look for repeating patterns (e.g., one patient area that has multiple incidents)


• Include the unauthorized disclosure on the accounting of disclosures


• Include any sanctions on the HIPAA sanctions log


• Ensure that investigation notes and reports were appropriately detailed and that they are maintained

HHS has said it will not enforce breach notification provisions until February 2010—or 180 days from the publication of the interim final rule—but HITECH states that covered entities (CE) are subject now to penalties for noncompliance.

CEs should have breach response systems in place already, says Chris Simons, RHIA, director of UM and HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME.