Encryption is your best friend when it comes to preventing breaches.
Don’t go through a resource-intensive — and potentially embarrassing — breach notification process if you don’t have to.
Before you can start identifying potential breaches at your organization, it’s important to know what the law says. “According to the Privacy Rule, a breach is any acquisition, access, use or disclosure in violation in the privacy rule — and that covers a lot,” said Jim Sheldon-Dean, director of compliance services with Lewis Creek Systems during a recent Eli-sponsored Audioeducator.com webinar “HIPAA Audits in 2015 — Being Prepared and Avoiding Penalties.”
However, there are exceptions under which you aren’t required to report the breach, including the following, Sheldon-Dean added:
If you don’t meet these exceptions but you can prove there was a low probability of compromise based on your risk assessment, you may still be in the clear, Sheldon-Dean said. The risk assessment must include a detailing of what information was in the records, how well identified the PHI was, and whether its release would be “adverse to the individual.” You’ll also have to assess to whom it was disclosed, whether it was actually acquired or viewed and the extent of mitigation.
For instance: Suppose you fax a test result with just patient initials to the wrong physician. The physician calls you and says, “You meant to send this to someone else, we’re shredding it.” That’s a low probability of compromise, with very little identifying patient information on it, Sheldon-Dean says.