Editor's note: This is the first in a three-part series about breach notifications. The first installment focuses on preventing breaches.
The U.S. Department of Health and Human Services (HHS) on August 19 released its interim final rule on breach notification of unsecure protected health information (PHI) and the acceptable methods for covered entities (CE) and business associates (BA) to encrypt and destroy patient records in order to prevent breaches.
The PHI breach notification regulations took effect September 23. However, HHS will not enforce the rule until February 22, 2010, or thereabouts.
Although CEs and BAs should have breach notification policies in place, they must also know how to prevent breaches.
"You don't get to the HITECH until you have a privacy breach," says Andrew E. Blustein, Esq., partner and cochair of Garfunkel, Wild & Travis' Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT. "If you have good things in your privacy program, you should never get to it."
Consider Blustein's tips for how to prepare for a breach so it doesn't happens:
- Establish appropriate technical safeguards to protect patient information. Require encryption for laptops and other portable devices. Establish remote access roles specific to applications and business requirements. Prohibit the installation of unsecured "homemade" software on laptops. Develop policies regarding the protection of patient information transmitted from remote locations.
- Discuss with vendors their responsibility for protecting patient information. Vendors who are BAs must enter into an agreement with the CE. Further, contact each of your vendors and discuss appropriate safeguards to protect your PHI. If your BA is an agent of the CE, the CE is considered to have notice of the breach at the time the BA has notice. Make clear the lines of communication and responsibility between you and your BA.
- Perform routine audits of employee access to PHI. Let employees know you are conducting the audits. Inform them that you intend for the audits to revitalize the organization's policy.
- Establish a security incident response team. Assign an individual to be responsible for organizing responses to security incidents. Appoint a core team to conduct the investigation (e.g., representatives from IT, HR, risk management, legal, and security departments). Include technical and administrative staff members, as well as staff members directly involved in the incident. "You can't do this on the fly," Blustein says. Build your team carefully and conduct mock breaches.
- Prepare written policies that address the process for internal reporting. Consider what potential breaches need to be reported internally and to whom individuals should report these violations. Set time frames for reporting. "In some cases, you don't want to wait for the investigation team's full report," Blustein says. "Sometimes you want a flash report." Educate staff members and publicize an actual breach in the organization as a teaching moment. Don't keep it quiet.
Tomorrow, we will discuss handling a breach at your facility and then conclude the series the following day with tips for how to proceed after a breach. All material comes from excerpts from the HCPro, Inc., white paper, "HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations."