Editor's note: This is the third in a three-part series about breach notifications. Part one focused on how to prevent breaches. Part two tackled how to handle breaches. This installment offers some final tips if a breach occurs.
Now that you've followed protocol—the government's and your facility's—consider these final checklist items for after you respond accordingly to a breach.
They are offered by Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis' Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT:
- Incorporate lessons learned into existing procedures (were internal reporting and investigation fast and efficient?)
- Include the breach on the annual log reported to HHS
- Modify policies as necessary
- Reeducate staff members regarding lessons learned
- Look for repeating patterns (e.g., one patient area that has multiple incidents)
- Include the unauthorized disclosure on the accounting of disclosures
- Include any sanctions on the HIPAA sanctions log
- Ensure that investigation notes and reports were appropriately detailed and that they are maintained
HHS has said it will not enforce breach notification provisions until February 2010—or 180 days from the publication of the interim final rule—but HITECH states that covered entities (CE) are subject now to penalties for noncompliance.
CEs should have breach response systems in place already, says Chris Simons, RHIA, director of UM and HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME.
However, if CEs still need to work on their policies, they should focus their energies on making sure staff members understand the process for and importance of prompt reporting.
"If your staff doesn't know who their privacy officer is, that's a problem," Simons says. "That's a good starting place. Make sure staff knows what a breach is and who to report it to. They should be encouraged to immediately report even the suspicion of an issue."
Document everything your organization does in response to a suspected breach, Simons adds. Conduct a risk analysis to expose your internal weaknesses. It could help you prevent a breach in the first place, which, after all, is the goal.
"What are your serious risks, and what are your minor risks?" Simons says. "How are you educating people, and are your policies and procedures in place? Get out there and do your rounds to see what's going on and see if you hear things."
This series contained excerpts from the HCPro, Inc., white paper, "HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations."