Follow the policies and procedures that you have already established so that you can handle the breach properly and smoothly rather than trying to figure out as you go on. But of course, not everybody has figured that out.
So in terms of what do you need to do today so, you are prepared down the road even if you really, you have to get your policies and procedures about how you're going to first of all understand that you have a problem. And then also what you are going to do if you do have a problem to determine if this is a breach or not.
You have to have that process in place if who’s in charge of deciding, how are we going to go through this deciding. Is this a breach or not? And who gets to make that decision and who's involve with that process? And who do we call at what point, and what time? And what point are the attorneys get involved?”
You really have to go to that whole process of think it through now. Now is when you have the time because when you have a breach you don't have a time to figure out what to do. You have to do just act because you have to move pretty quickly. 60 days may seem like, “Gee, two months, I've got a long time to figure this out.” Remember, time marches along pretty quickly. And if you go that fast, a lot of times you can't figure out what went wrong and you're at a real disadvantage.
Take the time now to get the policies and procedures in place. And get some drills done so that you're prepared to deal with the situation coming along because it happens sooner or later. If you are in a large number of organization, enough information that is going around. There is going to be a breach at some point. So, now is the time to be prepared to ensure HIPAA compliance.
When it's time to turn into your log of breaches, do you need to include everything that might have been a breach? But you decide it wasn't a breach or just the things you decide that were the breach?
And the interpretation is it's basically just the ones that were the actual breaches or the ones you need to include in the log. The thing is that you went through and decided, “No this one doesn't qualify as a breach because there was no significance risk of harm or because that's one of the exceptions.” Those things, they don't really count it as what would be an official breach. And so those don't go into the log. It's just the ones where you made the decisions.
Now, it is important to note though that even if you aren't including some of those as breaches, make sure you maintain the documentation of those incidents that you decided were not an official breach. That needed to be reported and it needed and have anybody know it about to guarantee HIPAA compliance.
So that, if there are any questions, if you do get an audit by Health and Human Services or the Offices for Civil Rights or Office of Inspector General or of any of these in various offices, or agencies and parts of Health and Human Services, you might want to ask few questions this.
HIPAA Training Tip: You need to make sure that you have your documentation in hand. So that you can justify what you've done and justify it in saying that, “Yes, we do know there was some information exposed. We decided that was not a breach, because there was no significance risk of harm.” You have to maintain your documentation on that and all these kinds of decisions you make to safeguard HIPAA compliance. But what goes into the log is just the things that you actually decided were not actually breach.
For expert training sessions on HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Business Associates Rule, HIPAA Audits & Enforcement, and others, visit HIPAA Compliance page.