Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. HIPAA BREACH DECISION TOOL AND RISK ASSESSMENT DOCUMENTATION FORM Organizations should use this form when analyzing a potential HIPPA privacy or security breach. This form will assist you in documenting the required factors of a breach, and assist you in deciding whether breach notification is required under HIPAA. Organizations should complete this form as best they can understanding that the responses given to the questions below may change as more information becomes available. The terms used in this form shall be given the definitions assigned by HIPAA, not state law. Nothing in this form shall be construed as an admission in the event of litigation. Instructions 1. Complete this form beginning with question 1 on the next page. 2. Circle the best answer for each question, and document the information being requested in the spaces that are provided. 3. If the answer your circle is bold, such as: “Yes, PHI was involved. Continue to Question 2,” describe the requested information below the answer and continue to the next question. 4. If the answer you circle is italicized, such as: “No, PHI was not involved. No breach reporting required under HIPAA,” describe the requested information below the answer and stop there. 5. If you have chosen our HIPAA Plus program you also have access to an online breach log to document each breach. Breaches may also be submitted electronically through HIPAA Plus for mitigation through your online breach log to Healthcare Compliance Pros’ breach response team. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. HIPAA BREACH DECISION TOOL 1. Name of person completing form: _____________________________________ 2. Date incident occurred: _____/___/_____ 3. Date incident discovered: _____/___/_____ 4. Brief summary of incident including: Type of breach, location of breached information and number of patients affected: Provide a brief summary of the incident: 5. Was protected health information (PHI) involved? Protected health information can be used to identify, or there is a reasonable basis to believe it can be used to identify an individual. Health information includes any information relating to the physical or mental health or condition of an individual, the health care provided to an individual, or payment for health care provided to an individual. PHI does not include employment records held by a medical practice in its role as an employer, or PHI regarding a person who has been deceased for more than 50 years. Describe the information involved (for example, an erroneous fax containing protected health information was sent to the wrong individual. This was confirmed when the person who received the fax called back to let us know he was not the intended recipient). Option 1: Yes, PHI was involved. Describe the kind of information that was involved. Continue to Question 6. Describe the kind of information that was involved: Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Option 2: No, PHI was not involved. No breach reporting required under HIPAA. If PHI was not involved you may STOP HERE. 6. Was the PHI unsecured? “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance, such as encryption or destruction. The guidance can be found on the DHHS website at: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html. Describe the PHI (for example, was it verbal, paper or electronic; and was the PHI financial, demographic or clinical information)? Indicate what protective measures were in place at the time of the breach (was it secured with encryption, password protected, and/or other): Option 1: Yes, the PHI was unsecured. Describe the information that was disclosed and Continue to Question 7. Describe the information that was disclosed: Option 2: No, the PHI was secured. No breach reporting required under HIPAA. If the PHI was secured, you may STOP HERE. 7. Was there an acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule? Providers should keep in mind that a violation of the “minimum necessary” standard is not permitted by the Privacy Rule. A use or disclosure of PHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures is not a violation of the Privacy Rule. Providers may wish to consult legal counsel to determine if the acquisition, access, use or disclosure was permitted by the Privacy Rule. Describe who acquired, accessed, used and/or disclosed the PHI, whether the person(s) was authorized or unauthorized, and how the PHI was acquired, accessed, used, or disclosed. Note: please do not include any PHI in your description Option 1: Yes, there was an acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule. Describe who was involved in this disclosure and Continue to Question 8. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Describe who was involved in this disclosure: Option 2: No, there was no violation of the Privacy Rule. No breach reporting required under HIPAA. If there was no violation of the Privacy Rule, you may STOP HERE. 8. Does an exception apply? Circle any exception below (A, B or C) that applies: Exception A - A breach does not include any unintentional acquisition, access, or use of PHI by a workforce member, or person acting under the authority of a covered entity or business associate, if it: was made in good faith; and as within the course and scope of authority; and does not result in further use or disclosure in a manner not permitted by the Privacy Rule. Example: A medical provider mistakenly sends and email with PHI to a hospital’s billing employee. The billing employee opens the email and immediately notifies the medical provider, then deletes the email. Exception B - A breach does not include an inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received is not further used or disclosed in a manner not permitted by the Privacy Rule. Example: A medical provider and medical coder both share the same office. Both the medical provider and medical coder are authorized to view PHI. Exception C - A breach does not include disclosure of PHI where the provider or business associate has a good faith belief that the unauthorized person who received it would not reasonably have been able to retain the information. These incidents would not constitute reportable breaches. Example: Mail containing PHI was sent and returned unopened by the post office that could not reasonably have been read or retained by an unauthorized person Option 1: No, an exception does not apply. Continue to the Four-Factor Risk Assessment. Option 2: Yes, an exception applies. Breach reporting is not required. You may STOP HERE. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Four-Factor Risk Assessment The HIPAA Breach Notification Rule requires consideration of at least four factors by completing a risk assessment after discovering a breach of unsecured protected health information. Rather than determine the risk of harm, the risk assessment determines the probability that PHI has been compromised based on four factors. 1. Describe the nature and extent of the PHI involved, including the types of identifiers, and the likelihood of re-identification. Example: Social Security Number, credit cards, financial data, diagnosis, treatment, medications, behavioral health, substance abuse, and/or sexually transmitted diseases of patient(s). 2. Identification of the unauthorized person(s) who used the PHI or to whom the PHI was disclosed. A. Does the person have obligations to protect privacy and security? Yes or No Example: is the person a covered entity required to comply with HIPAA, or a government employee, or other person who is required to comply with other privacy laws? B. Does the person have the ability to re-identify the PHI? Yes or No Describe who used or received the PHI, whether they have legal obligation to protect the PHI, and whether they can re-identify the PHI (if the PHI is de-identified): 3. Determine whether the PHI was actually viewed or accessed. Consider whether the PHI was actually acquired or viewed. (If electronic PHI is involved, this may require a forensic analysis of the computer to determine if the information was accessed, viewed, acquired, transferred, or otherwise compromised. Attach report from a computer forensic analyst, if one was obtained.) Was the PHI was actually acquired or viewed? Yes or No Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. 4. Determine the extent to which the risk to the PHI has been mitigated. Providers should consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised. A. Can the person who received the PHI provide satisfactory assurances that the PHI will not be further used or disclosed, or that it will be destroyed? Yes or No Example: through a confidentiality agreement or similar means. B. What level of effort has been expended to prevent future related issues and/or to lessen the harm of the actual breach? Training, policies and procedures…. Describe risk mitigation steps taken: C. Describe any other relevant factors (write “none” if appropriate): These factors should be considered in combination and not in isolation when conducting a risk assessment. If an entity has an incident and its risk assessment concludes that there was a very low probability that the PHI was compromised, it may choose to not notify the affected individuals or the Department of Health and Human Services Office for Civil Rights (OCR). However, the Final Omnibus Rule requires that the entity maintain a “burden of proof” if its conclusions are called into question. If the OCR investigated the covered entity, it would be required to provide conclusive documentation of its incident risk assessment and analysis as to why the incident did not result in a “compromise” of PHI. If the entity doesn’t meet that burden of proof, it could be found to have been negligent in not notifying the affected individuals and subject to substantial fines, penalties, and corrective action. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team. Four Factor Risk Assessment Conclusion The Final Omnibus Rule requires that the entity maintain a burden of proof if its conclusions are called into question. During an investigation the OCR would require conclusive documentation as to why the incident did not result in a compromise of PHI. If the entity doesn’t meet the burden of proof, it could be found to have been negligent is not notifying the affected individuals and subject to fines, penalties and/or corrective action. It is important to note that this tool is helpful with respect to a decision whether reporting is required under federal law (HIPAA). State laws may require notification of a breach as defined in state laws. A organization may also have reporting obligations pursuant to a business associate agreement or other contract. Based on the results of the four factor risk assessment, is there a low probability that the PHI has been compromised? Option 1: No, there is not a low probability, there is a higher probability. Breach reporting is required under HIPAA. Option 2: There is a low probability, thus No breach reporting required under HIPAA. You should still keep this record or document why this incident did not result in a compromise of PHI. If you have questions about this process, or if you are concerned about meeting the burden of proof requirements, please contact us, and we can provide breach determination and mitigation services for you. Signature of person completing this form: ____________________________________________ Title: ___________________________________________ Date: _________________________ Note: We recommend that you document this information on your online Breach log to complete the appropriate steps for this incident. Complete your documentation and retain for future reference or investigations. Suspected breaches may also be submitted online using your “Breach Log” and may also be submitted for determination and mitigation to Healthcare Compliance Pros’ breach response team.