Protected Health Information Breaches: Corporate Duties
Jeannine LeCompte, Compliance Research Specialist
With Protected Health Information (PHI) breaches potentially having serious financial, civil, and criminal outcomes, it should be clear that the primary responsibility of adhering to all the legal requirements lies with a facility’s owners and management.
There are a number of important steps which the organization leadership can take to help ensure compliance:
- Conduct periodic privacy audits and take remedial actions as necessary.
- Provide employee training in the area of privacy for new employees and annually for all current employees.
- Remain up-to-date and advise on new technologies to protect data privacy.
- Remain up-to-date on laws, rules, and regulations regarding data privacy and update policies and procedures as necessary.
All facilities are required by law to maintain and distribute a notice that describes their HIPAA privacy practices.
When it comes to applying the rules of the Health Information Technology for Economic and Clinical Health Act (HITECH), a facility must ensure that all partner companies have a business associate agreement that addresses all the Privacy Rules. This agreement must stipulate that associates notify the facility as soon as reasonable, but no later than 60 days, after a breach. Notification must include identification of each individual affected by the breach.
When any breach occurs, the facility must conduct a risk assessment within 30 days to determine the exact nature of the data released, who received or used it, and if the data was viewed by unauthorized persons. This assessment report, which should also include any risk reduction or recovery measures, must be submitted as soon as possible to the Department of Health and Human Services (HHS).
There are specific rules concerning deadlines for reporting to the HHS: if fewer than 500 individuals are affected, reporting must take place no later than 60 days after discovery. If more than 500 individuals are affected, notify them no later than 60 days after discovery, and the Department of Health and Human Services (HHS) at the same time, as well as prominent local news media serving the area.
