HIPAA HITECH Breach By Small Physician Practice: Actual Experience

The OCR letter detailing the allegations gave them 21 days to respond with the following:

"1. Documentation of the covered entity's admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the alliegations.

2. Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.

3. Documentation of the covered entity's corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:

    a. sanctioning of the worforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity's current policies and procedures, and as required by the Privacy Rule.

    b.re-training of appropriate workforce members.

    c. mitigation of the harm alleged, as required by the Privacy Rule.

4.  A copy of your HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.

5.  A copy of the policies and procedures implemented to safeguard the CE's facility and equipment.

6.  Evidence of physical safeguards implemented for computing devices to restrict access to PHI.

7.  A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.

8.  Evidence of security awareness training for involved workforce members including training on workstation security.

9.  Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.

10. A copy of the written notification of the breach provided to the afffected individuals.

11.  A copy of the written notification given to the media.  This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification."

Could your organization come up with this in 21 days? 

Compliance Helper can help you get compliant, stay compliant, and prove compliance with the Compliance Metertm for a few dollars a day.

Add Your Comments

(not published)