Responding to a breach is an extremely recommended segment to comply with HIPAA. In this way, you can ensure complete safety in order to alleviate breaches. Below are the four approaches you should adopt to avoid breaches.
A. Analyzing the Risk
HIPPA requires this approach due to its significance. It should be entirely comprehensive and needs to be an executed as soon as possible. In this regard, you need to look for the following parameters:
- The beginning and end of the breach
- The date you discovered the breach
- An Approximation of the individuals affected by it
- The location where the breach occurred
- The type of breach occurred
- IT Incident/ Hacking
- PHI’s Improper disposal of
- Leak/ Illegal Access
- The type of PHI involved
B. Contacting the Establishments
Right after the discovery of the breach and the determination of the transpiration of a crime, you need to make a contact with the establishments. For issues regarding malware, you need to approach FBI for filing a legal complaint.
C. Notification of Patients
U.S. Mail should be used to notify every single patient regarding the breach. And, you need to make a clear outline of your Privacy Practice’s Notice that you will notify via electronic sending of emails on which every patient is required to do a confirmation signature. You can save a huge amount of money and time through this approach. Therefore, it is extremely recommended to add this clause to your plan of compliance. You need to get in touch with the team at Total HIPAA or your lawyer for the addition of this clause for ensuring proper implementation.
The Notice of Substitution:
This is necessary in case you cannot access ten 10 more persons. Now, you have to pursue C 2.
1) Post the Notice on your website for 3 months, or
2) Contact outlets for local media and let them post the notification of the breach.
The Requirements to be in the Notification of Patients:
- A brief description of the happening, the breach’s date and the discovery date of the breach.
- An explanation of the unsecured PHI’s types found to be in the breach (health information, name, date of birth, address, treatment codes, SSN etc.)
iii. The steps to be taken by the individuals for their protection from possible damage. For each incident, the action could not be the same.
- A concise explanation of involvement of the covered body for investigating the breach, to tone down harm as well as to guard against upcoming breaches.
- Procedures of contacts for people to make an inquiry or procure more information, an email address a phone number, postal address or website.
D. Notifying Human Health Service of the Breach, or The 500Rule
Less than 500 Patients Affected
In case your breach affects the information of fewer than 500 patients, you do not need to notify at the time of the discovery of breach to HHS. However, you need to report the breach to Human Health Service and mention all the above-stated requirements at the end of the year. You need to notify HHS not more than 2 months period of the last day of the year.
More than 500 Patients Affected
In case your breach affects the information of more than 500 patients, you need to immediately notify at the time of the discovery of breach to HHS. Also, you need to go for verification of the rules of HIPAA breach notification regarding your respective state since they might vary.