top of page
cs-eye

Are You Prepared to Report a Data Breach? Collecting the Right Information Can Help!


The number of data breaches being reported to the federal government has been far more than anyone expected and the numbers are raising on a rapid pace. The final breach notification rule requires that healthcare organization conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.” Anytime there is an unauthorized use or disclosure of protected health information, four objectives questions must be asked and answered EVERYTIME an investigation is completed:

  1. The nature and extent of the PHI involved in the data breach, including the types of identifiers and likelihood of the re-identification

  2. The unauthorized person (people) who used the PHI or whom it was disclosed to

  3. Whether the PHI was view, acquired, or re-disclosed

  4. The extent to which the risk to the PHI has been mitigated

With the answers to these questions complete, a healthcare organizations can feel confident they have the documentation and proof in place to submit a data breach notification to the Secretary of the Department of Health and Human Services (DHHS); however, many more data elements must be collected during the investigation in case a data breach needs to be report. The notification method for the Secretary of HHS recently had a refresh. Understanding the data elements that must be reported is the foundation of creating a proper method for investigating and documenting a data breach investigation and the outcome. With the updated reporting form, covered entities muse be ready to report of these data elements:

  • Breach Start Date

  • Breach End Date

  • Discovery Start Date

  • Discovery End Date

  • Approximate Number of People Impacted

  • Type of Breach (Hacking/IT Incident, Improper Disposal, Loss, Theft, Unauthorized Access/Disclosure)

  • Location of Breach (Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other Portable Electronic Device, Paper/Films, Other-Must enter a location)

  • Type of Protected Health Information Involved (Clinical, Demographic, Financial, Other-Must enter a details)

  • Brief Description of the Breach

  • Safeguards in Place Prior to Breach (None, Privacy Rule Safeguards, Security Rule Administrative Safeguards, Security Rule Technical Safeguards, Security Rule Physical Safeguards)

  • Individual Notice Provided Start Date

  • Individual Notice Provided End Date

  • If Substitute Notice was required

  • If Media was notified

  • Actions taken in response to breach

The best idea is to create a process that will assure collection of this data and information for every investigation. That way, depending on the outcome, you are prepare in the case you have to report a breach to HHS!


30 views0 comments

コメント


bottom of page