The number of data breaches being reported to the federal government has been far more than anyone expected and the numbers are raising on a rapid pace. The final breach notification rule requires that healthcare organization conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.” Anytime there is an unauthorized use or disclosure of protected health information, four objectives questions must be asked and answered EVERYTIME an investigation is completed:
The nature and extent of the PHI involved in the data breach, including the types of identifiers and likelihood of the re-identification
The unauthorized person (people) who used the PHI or whom it was disclosed to
Whether the PHI was view, acquired, or re-disclosed
The extent to which the risk to the PHI has been mitigated
With the answers to these questions complete, a healthcare organizations can feel confident they have the documentation and proof in place to submit a data breach notification to the Secretary of the Department of Health and Human Services (DHHS); however, many more data elements must be collected during the investigation in case a data breach needs to be report. The notification method for the Secretary of HHS recently had a refresh. Understanding the data elements that must be reported is the foundation of creating a proper method for investigating and documenting a data breach investigation and the outcome. With the updated reporting form, covered entities muse be ready to report of these data elements:
Breach Start Date
Breach End Date
Discovery Start Date
Discovery End Date
Approximate Number of People Impacted
Type of Breach (Hacking/IT Incident, Improper Disposal, Loss, Theft, Unauthorized Access/Disclosure)
Location of Breach (Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other Portable Electronic Device, Paper/Films, Other-Must enter a location)
Type of Protected Health Information Involved (Clinical, Demographic, Financial, Other-Must enter a details)
Brief Description of the Breach
Safeguards in Place Prior to Breach (None, Privacy Rule Safeguards, Security Rule Administrative Safeguards, Security Rule Technical Safeguards, Security Rule Physical Safeguards)
Individual Notice Provided Start Date
Individual Notice Provided End Date
If Substitute Notice was required
If Media was notified
Actions taken in response to breach
The best idea is to create a process that will assure collection of this data and information for every investigation. That way, depending on the outcome, you are prepare in the case you have to report a breach to HHS!