Pediatric Coding Alert

Document your investigation carefully in case of a lawsuit.

Try as you might to prevent, sometimes a HIPAA breach occurs anyway.

The HIPAA Breach Notification rule (§164.400 et seq.) requires you to take specific actions when faced with a breach incident. Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems based in Charlotte, Vt., outlines the following steps you need to take to evaluate and report breaches, as well as to properly document compliance incidents:

1. Report all breaches promptly to the individual, unless:

a. The disclosure is one of the three exceptions to HHS’ definition of a breach at www.hhs.gov/hipaa/for-professionals/breach-notification/index.html; OR
b. The PHI is encrypted using processes meeting the requirements of HHS guidance; OR
c. A risk assessment determines that there is a low probability of protected health information (PHI) disclosure.

2. Determine whether there is a low probability of disclosure using a HIPAA breach risk assessment that considers four factors:

1) The nature of the information (how detailed, how much identifying information, sensitivity, including the potential for “adverse impact” to the individual?);
2) To whom the information was released (was it another healthcare provider?);
3) Whether the information was actually accessed, used, or disclosed (was it discarded without reading?); and
4) How you mitigated the incident (are there assurances that the information disclosed cannot be further used, disclosed, or retained?).

3. Report breaches of PHI involving more than 500 individuals to HHS at the same time you report the breach to the affected individuals. If the breach involves fewer than 500 individuals, you must report it to HHS within 60 days of the end of the calendar year in which it occurred.

4. Report breaches of PHI to individuals, HHS, and the public according to the applicable regulation (see www.hhs.gov/hipaa/for-professionals/breach-notification/index.html for details).

5. Involve your organization’s counsel and senior management in any breaches that may be reportable under law, to ensure that you follow federal and state laws correctly when providing various notices and reports to agencies. Keep in mind that breaches of an individual’s information may also be subject to the state laws where the individual resides, and not just the state where your agency is located.

6. Document all privacy and security incidents, breaches, and HIPAA breach risk assessments performed to determine whether an incident is a reportable breach. Include documentation of incidents in any compliance evaluation procedures or usage audit and activity review procedures, as appropriate.

7. Develop and preserve information gathered in your investigation of security incidents to the greatest extent possible as potential evidence admissible in court, in case it’s needed in legal proceedings. Whenever possible, identify any individuals or entities that may be liable for harm caused by the incident.

Bottom line: A security incident is bad enough, and you need to know when not to panic versus when you need to launch a response. But if you drop the ball on your duties following a data breach, the risks for bad press and costly penalties are higher than ever before. Make sure you have a solid incident response plan in place to make a bad situation much more bearable.