Download hipaa breach decision tool and risk assessment documentation form

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
Document related concepts

Health equity wikipedia , lookup

Transcript 
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
HIPAA BREACH DECISION TOOL AND RISK ASSESSMENT
DOCUMENTATION FORM
Organizations should use this form when analyzing a potential HIPPA privacy or security breach. This
form will assist you in documenting the required factors of a breach, and assist you in deciding
whether breach notification is required under HIPAA.
Organizations should complete this form as best they can understanding that the responses given to the
questions below may change as more information becomes available. The terms used in this form shall
be given the definitions assigned by HIPAA, not state law. Nothing in this form shall be construed as
an admission in the event of litigation.
Instructions
1. Complete this form beginning with question 1 on the next page.
2. Circle the best answer for each question, and document the information being requested in the
spaces that are provided.
3. If the answer your circle is bold, such as: “Yes, PHI was involved. Continue to Question 2,”
describe the requested information below the answer and continue to the next question.
4. If the answer you circle is italicized, such as: “No, PHI was not involved. No breach reporting
required under HIPAA,” describe the requested information below the answer and stop there.
5. If you have chosen our HIPAA Plus program you also have access to an online breach log to
document each breach. Breaches may also be submitted electronically through HIPAA Plus for
mitigation through your online breach log to Healthcare Compliance Pros’ breach response
team.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
HIPAA BREACH DECISION TOOL
1. Name of person completing form: _____________________________________
2. Date incident occurred: _____/___/_____
3. Date incident discovered: _____/___/_____
4. Brief summary of incident including: Type of breach, location of breached information and
number of patients affected:
Provide a brief summary of the incident:
5. Was protected health information (PHI) involved? Protected health information can be used to
identify, or there is a reasonable basis to believe it can be used to identify an individual. Health
information includes any information relating to the physical or mental health or condition of an
individual, the health care provided to an individual, or payment for health care provided to an
individual. PHI does not include employment records held by a medical practice in its role as an
employer, or PHI regarding a person who has been deceased for more than 50 years.
Describe the information involved (for example, an erroneous fax containing protected health
information was sent to the wrong individual. This was confirmed when the person who received the
fax called back to let us know he was not the intended recipient).
Option 1: Yes, PHI was involved. Describe the kind of information that was involved. Continue
to Question 6.
Describe the kind of information that was involved:
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Option 2: No, PHI was not involved. No breach reporting required under HIPAA. If PHI was not
involved you may STOP HERE.
6. Was the PHI unsecured? “Unsecured PHI” means PHI that is not rendered unusable, unreadable,
or indecipherable to unauthorized individuals through the use of a technology or methodology
specified by the Secretary of the U.S. Department of Health and Human Services in guidance, such
as encryption or destruction. The guidance can be found on the DHHS website at:
www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.
Describe the PHI (for example, was it verbal, paper or electronic; and was the PHI financial,
demographic or clinical information)? Indicate what protective measures were in place at the time
of the breach (was it secured with encryption, password protected, and/or other):
Option 1: Yes, the PHI was unsecured. Describe the information that was disclosed and Continue
to Question 7.
Describe the information that was disclosed:
Option 2: No, the PHI was secured. No breach reporting required under HIPAA. If the PHI was
secured, you may STOP HERE.
7. Was there an acquisition, access, use, or disclosure of PHI in a manner not permitted by the
Privacy Rule? Providers should keep in mind that a violation of the “minimum necessary”
standard is not permitted by the Privacy Rule. A use or disclosure of PHI that is incident to an
otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper
minimum necessary procedures is not a violation of the Privacy Rule. Providers may wish to
consult legal counsel to determine if the acquisition, access, use or disclosure was permitted by the
Privacy Rule.
Describe who acquired, accessed, used and/or disclosed the PHI, whether the person(s) was authorized
or unauthorized, and how the PHI was acquired, accessed, used, or disclosed. Note: please do not
include any PHI in your description
Option 1: Yes, there was an acquisition, access, use or disclosure of PHI in a manner not permitted
by the Privacy Rule. Describe who was involved in this disclosure and Continue to Question 8.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Describe who was involved in this disclosure:
Option 2: No, there was no violation of the Privacy Rule. No breach reporting required under HIPAA. If
there was no violation of the Privacy Rule, you may STOP HERE.
8. Does an exception apply? Circle any exception below (A, B or C) that applies:
Exception A - A breach does not include any unintentional acquisition, access, or use of PHI by a
workforce member, or person acting under the authority of a covered entity or business associate, if it: was
made in good faith; and as within the course and scope of authority; and does not result in further use or
disclosure in a manner not permitted by the Privacy Rule.
Example: A medical provider mistakenly sends and email with PHI to a hospital’s billing employee. The
billing employee opens the email and immediately notifies the medical provider, then deletes the email.
Exception B - A breach does not include an inadvertent disclosure by a person who is authorized to access
PHI at a covered entity or business associate to another person authorized to access PHI at the same
covered entity or business associate, or organized health care arrangement in which the covered entity
participates, and the information received is not further used or disclosed in a manner not permitted by the
Privacy Rule.
Example: A medical provider and medical coder both share the same office. Both the medical provider and
medical coder are authorized to view PHI.
Exception C - A breach does not include disclosure of PHI where the provider or business associate has a
good faith belief that the unauthorized person who received it would not reasonably have been able to
retain the information. These incidents would not constitute reportable breaches.
Example: Mail containing PHI was sent and returned unopened by the post office that could not reasonably
have been read or retained by an unauthorized person
Option 1: No, an exception does not apply. Continue to the Four-Factor Risk Assessment.
Option 2: Yes, an exception applies. Breach reporting is not required. You may STOP HERE.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Four-Factor Risk Assessment
The HIPAA Breach Notification Rule requires consideration of at least four factors by completing a
risk assessment after discovering a breach of unsecured protected health information. Rather than
determine the risk of harm, the risk assessment determines the probability that PHI has been
compromised based on four factors.
1. Describe the nature and extent of the PHI involved, including the types of identifiers, and the
likelihood of re-identification.
Example: Social Security Number, credit cards, financial data, diagnosis, treatment, medications,
behavioral health, substance abuse, and/or sexually transmitted diseases of patient(s).
2. Identification of the unauthorized person(s) who used the PHI or to whom the PHI was
disclosed.
A. Does the person have obligations to protect privacy and security? Yes or No
Example: is the person a covered entity required to comply with HIPAA, or a government employee,
or other person who is required to comply with other privacy laws?
B. Does the person have the ability to re-identify the PHI? Yes or No
Describe who used or received the PHI, whether they have legal obligation to protect the PHI, and
whether they can re-identify the PHI (if the PHI is de-identified):
3. Determine whether the PHI was actually viewed or accessed. Consider whether the PHI was
actually acquired or viewed. (If electronic PHI is involved, this may require a forensic analysis of the
computer to determine if the information was accessed, viewed, acquired, transferred, or otherwise
compromised. Attach report from a computer forensic analyst, if one was obtained.)
Was the PHI was actually acquired or viewed? Yes or No
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
4. Determine the extent to which the risk to the PHI has been mitigated. Providers should consider
the extent and efficacy of the mitigation when determining the probability that the PHI has been
compromised.
A. Can the person who received the PHI provide satisfactory assurances that the PHI will not be
further used or disclosed, or that it will be destroyed? Yes or No
Example: through a confidentiality agreement or similar means.
B. What level of effort has been expended to prevent future related issues and/or to lessen the
harm of the actual breach? Training, policies and procedures….
Describe risk mitigation steps taken:
C. Describe any other relevant factors (write “none” if appropriate):
These factors should be considered in combination and not in isolation when conducting a risk
assessment. If an entity has an incident and its risk assessment concludes that there was a very low
probability that the PHI was compromised, it may choose to not notify the affected individuals or the
Department of Health and Human Services Office for Civil Rights (OCR). However, the Final
Omnibus Rule requires that the entity maintain a “burden of proof” if its conclusions are called into
question. If the OCR investigated the covered entity, it would be required to provide conclusive
documentation of its incident risk assessment and analysis as to why the incident did not result in a
“compromise” of PHI. If the entity doesn’t meet that burden of proof, it could be found to have been
negligent in not notifying the affected individuals and subject to substantial fines, penalties, and
corrective action.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Four Factor Risk Assessment Conclusion
The Final Omnibus Rule requires that the entity maintain a burden of proof if its conclusions are called
into question. During an investigation the OCR would require conclusive documentation as to why the
incident did not result in a compromise of PHI. If the entity doesn’t meet the burden of proof, it could
be found to have been negligent is not notifying the affected individuals and subject to fines, penalties
and/or corrective action.
It is important to note that this tool is helpful with respect to a decision whether reporting is required
under federal law (HIPAA). State laws may require notification of a breach as defined in state laws. A
organization may also have reporting obligations pursuant to a business associate agreement or other
contract.
Based on the results of the four factor risk assessment, is there a low probability that the PHI has
been compromised?
Option 1: No, there is not a low probability, there is a higher probability. Breach reporting is
required under HIPAA.
Option 2: There is a low probability, thus No breach reporting required under HIPAA. You should still
keep this record or document why this incident did not result in a compromise of PHI.
If you have questions about this process, or if you are concerned about meeting the burden of proof
requirements, please contact us, and we can provide breach determination and mitigation services for
you.
Signature of person completing this form: ____________________________________________
Title: ___________________________________________ Date: _________________________
Note: We recommend that you document this information on your online Breach log to
complete the appropriate steps for this incident. Complete your documentation and retain for
future reference or investigations.
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for
determination and mitigation to Healthcare Compliance Pros’ breach response team.
Related documents
Step 2 - Potential Breach Report - American Health Care Association
Step 2 - Potential Breach Report - American Health Care Association
New Law Requires Businesses in California to Report Electronic Break-Ins
New Law Requires Businesses in California to Report Electronic Break-Ins
here - Phi Beta Psi Sorority
here - Phi Beta Psi Sorority
Breach-Notification-final-revised
Breach-Notification-final-revised
Street Law
Street Law
Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices
Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices
MINNESOTA STATE UNIVERSITY Department of Family Consumer Science
MINNESOTA STATE UNIVERSITY Department of Family Consumer Science
Privacy 26.0 Disclosure Not Requiring Authorization or Opportunity
Privacy 26.0 Disclosure Not Requiring Authorization or Opportunity
Guide to Preventing the spread of meningitis
Guide to Preventing the spread of meningitis
Delay Code Reporting Guidance - Nationwide Service Framework
Delay Code Reporting Guidance - Nationwide Service Framework
Tip Sheet: Protected Health Information and Personal Identifying
Tip Sheet: Protected Health Information and Personal Identifying
I - E
I - E