Professional Documents
Culture Documents
Breach Notification Policy - HIPAA
Breach Notification Policy - HIPAA
Breach Notification Policy - HIPAA
Revision History
1. Objective
The purpose is to establish a procedure to mitigate, to the extent practicable, any
harmful effect that results from an unauthorized use or disclosure of Protected
Health Information (PHI).
2. Scope
This policy applies to all (Company name) workforce members including, but not
limited to full-time employees, part-time employees, trainees, volunteers,
contractors, and temporary workers.
Page 1 of 3
Breach Notification Policy
Reference 45 CFR 164.308(b) 164.314 Ver. No. 1.0
3. Process Overview
The Process describes the action that needs to be taken for a breach Incident by
involving various stake holders chaired by the Privacy Officer of (Company name).
Every employee and associates have an obligation to notify (Company name) of any
use or disclosure of PHI not permitted by the contract between Associate and
(Company name) within five (5) business days of Associate’s learning of such use or
disclosure.
4. Policy
(Company name) will take positive action to minimize known harmful effects
resulting from the unauthorized use or disclosure of PHI, and will alleviate known
instances of harm where the use or disclosure is in violation of (Company name)
Administrative Policies and Procedures or HIPAA Privacy Regulations.
Process Details
Tasks
1. Upon receiving any information from any source that PHI may have been
used or disclosed, intentionally or inadvertently, in a manner that does not
comply with (Company name) Administrative Policies, Procedures or the
HIPAA Privacy Regulations, (Company name) personnel will report such use
or disclosure to the Privacy Office.
2. The Privacy Officer will intimate formally the Covered entity if the BA
agreement covers this clause.
3. (Company name) personnel will take steps to stop or limit any such use or
disclosure also.
4. The Privacy Office will investigate the report and determine whether the use
or disclosure did not comply with (Company name) Policies and procedures.
5. If the Privacy Officer determines that the use or disclosure violated (Company
name) policy, the Privacy Officer will contact the person or persons
responsible for the violation (“the original source”) and take all practicable
measures to retrieve and cease any further use or disclosure of the
information. Also, the Privacy Officer will determine from the original source
all of the persons or entities receiving the PHI from the original source.
6. If the Privacy Officer determines that the original source is an employee of
(Company name), the Privacy Officer will report the matter to the original
source’s Supervisor and to the Human Resources (HR) Department. The
Supervisor and the HR Department will consult with the Privacy Officer on
Page 2 of 3
Breach Notification Policy
Reference 45 CFR 164.308(b) 164.314 Ver. No. 1.0
References
Omnibus HIPAA Final Rulemaking,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
HIPAA Final Privacy Rule, 45 CFR Part 164.514(h), Department of Health and
Human Services,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/August
14, 2002.
HIPAA Breach Notification Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule
/
Health Information Privacy, Security, and EHR
http://www.healthit.gov/providers-professionals/ehr-privacy-security
Achieve Meaningful Use: Protect Electronic Health Information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures/protect-electronic-health-information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures-2/protect-electronic-health-information
Page 3 of 3