HIPAA Security Breach Response Plan

Healthcare Training Resource
July 3, 2012 — 1,019 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

According to the United States Department of Health & Human Services (HHS), Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule, was the first set of national standards for protection of health information. In 1996, the department implemented in the Human Insurance Portability and Accountability Act (HIPAA). The main goal of this act and the Privacy Rule is to insure an individual's health information remains confidential to protect the patient's well being and the public's health.

It is important that hospital administrators and medical record professionals know the steps necessary to put together an effective and practical HIPAA security incident and security breach response plan. A HIPAA security breach is when information is used without permission or is disclosed that compromised the privacy or security of protected health information. The Department of HHS states that a breach can pose a significant risk, reputational, financial or otherwise, to the individual.

When a HIPAA security breach is committed, under law the facility must provide notification to the individual, the Secretary of breaches and sometimes the media. The individual must be notified within 60 days by first-class mail or by e-mail if they prefer. The Secretary can be notified on the HHS website by filling out an electronic breach report form. The media must be notified within 60 days by press release if the security breach affects more than 500 residents of a State or jurisdiction.

Having a HIPAA security response plan is key to handling these circumstances in a methodical manner. With a plan in place for your organization, there is a decreased chance of additional penalties and investigation. When you learn of a possible security breach, it is important to investigate it right away and document the details of the breach.

Next, you should immediately take steps to temper any harm to the individual that was caused by the breach. Having a general checklist prepared of what items need to be addressed in the event of a HIPAA security breach is best. Many facilities also find it helpful to have model security breach notices written that can be customized to the circumstance. Finally, Gail Sargent, J.D., LL.M., an attorney whose practice focuses on HIPAA, suggests having a sample script that can be used with discussing the security breach with patients and affected individuals. 

While your facility strives to maintain all ethical and lawful requirements of patient privacy, you never know when a security breach might occur. Having a HIPAA security breach response plan can keep the situation controlled and dignified.

Healthcare Training Resource