So, what is a breach according to HIPAA? A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. [45 C.F.R. §164.402.7]
One of the things I have learned through all my reading, webinars and seminars is that not only do we need to know when to report a breach but we must investigate any security incident, whether it warrants reporting or not. How a security incident is investigated and handled is looked at with great interest during an audit. The way in which we handle security incidents and breaches can greatly impact the fines imposed, and fines tend to be much greater when they are not handled properly.
We need to look at the investigation of a security incident as a way of making sure we don’t repeat an issue. If we have an incident that didn’t cause us an issue and we don’t thoroughly investigate how it happened, what will prevent it from happening again and possibly causing an actual breach?
It stands to reason that repeated incidents and breaches are not looked upon well. They are also not good for the patients we are trying to protect. Now is a great time to take a look at how you handle investigations and to make sure that everyone is following your policies.
No related posts.