10 Things to Include in Your HIPAA Breach Notification Policy
From - G2 Compliance Advisor Earlier this month we told you about a $475,000 settlement one provider reached in a HIPAA breach notification case. Privacy lapses can occur despite… . . . read more
Earlier this month we told you about a $475,000 settlement one provider reached in a HIPAA breach notification case. Privacy lapses can occur despite your best efforts to prevent them. If prevention does fail, the imperative switches to incident response and damage control. One of the key response challenges is furnishing timely notification under the HIPAA Breach Notification Rule. Here is how to implement a breach notification policy enabling you to meet that challenge.
What the Notification Rule Requires
The Notification Rule requires providers to notify affected parties of breaches that compromise the privacy of protected health information. And you must act fast. Notification must be provided “without unreasonable delay” and no later than 60 days of discovering the breach.
Breach notification has become a compliance imperative. The recent $475,000 settlement with Illinois health system Presence Health sends a clear signal that the HHS Office for Civil Rights (OCR) is dead serious about enforcing the 60-day deadline.
The Importance of a Breach Notification Policy
Breach notification is not something you can do on the spur of the moment. You must plan ahead and implement a policy enabling you to do three things:
- Investigate incidents in which PHI is or may have been compromised;
- Determine whether the incident constitutes a HIPAA breach for which notification is required; and
- If so, process and transmit the appropriate notifications.
The 10 Things to Include in Your Breach Notification Policy
Although breach notification policies cannot be one-size-fits-all, there are 10 things they should include.
- Policy Statement
- Explanation of Purpose
- Incident Investigation & Breach Determination
- Determination of Whether PHI Was “Secured”
- Determine If an Exception Applies
- Conduct a Risk Assessment
- Require Patient Notification
- Require HHS Notification
- Require Media Notification
- List Required Content of Notification
For further explanation of each of these elements and model language you can adapt for your own policy, see “Compliance Perspectives: How to Create a HIPAA Breach Notification Policy,” G2 Compliance Advisor, January 2017, pages 5-9.
Subscribe to view Essential
Start a Free Trial for immediate access to this article