Introduction:

Security breaches in the healthcare industry are, unfortunately, all too common.

"Between 2009 and 2019 there have been 3,054 healthcare data breaches involving more than 500 records. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 230,954,151 healthcare records. That equates to more than 69.78% of the population of the United States. In 2019, healthcare data breaches were reported at a rate of 1.4 per day." - HIPAA Journal, Healthcare Data Breach Statistics

With the risk of breach being so high, its imperative that both covered entities and business associates take the appropriate measures to identify and report breaches as early as possible.

Currently, the figures suggest that not enough is being done.

"What’s worse is that it took the breached US organizations an average of 245 days to identify and contain a breach. However, the report tied breach response directly to cost saving. Organizations that detected and contained the breach in less than 200 days spent $1.2 million less on total breach costs." - Jessica DavisData Breaches Cost Healthcare $6.5M, or $429 Per Patient Record

This checklist template has been built to help you identify and report data breaches as efficiently as possible.

Our dynamic due dates feature will ensure that you file a notice to the secretary of the HHS within 60 days, while conditional logic will automatically customize the checklist depending on whether you are the covered entity or a business associate, and whether the breach affected more or less than 500 individuals.

Lets get going!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Enter basic details

First, enter some basic details regarding your organization and the individual responsible for managing IT security.

Identification:

Provide a summary of how the breach was discovered

In the form field below, provide a concise summary of how the breach was initially discovered. 

This should be written by the individual who discovered the breach, or transcribed as it is described verbally. 

State the nature and extent of the PHI involved

Detail the nature and extent of the PHI involved. 

Detail the unauthorized person to whom the disclosure was made

Provide basic details regarding the unauthorized individual who used the PHI or to whom the disclosure was made.

Determine whether the PHI was acquired or viewed

Determine whether the PHI was actually acquired or viewed by the unauthorized person. 

Determine if 500 or more individuals were affected

A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. 

If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate.

Breaches affecting 500 or more individuals

If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.

Breaches affecting fewer than 500 individuals

A covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.)

The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident.


Check out this HHS.gob web page for more information on submitting a notice of breach to the secretary

Approval: Breach correctly identified

Will be submitted for approval:
  • Provide a summary of how the breach was discovered
    Will be submitted
  • State the nature and extent of the PHI involved
    Will be submitted
  • Detail the unauthorized person to whom the disclosure was made
    Will be submitted
  • Determine whether the PHI was acquired or viewed
    Will be submitted
  • Determine if 500 or more individuals were affected
    Will be submitted

Risk mitigation measures:

Detail the extent to which the risk to the PHI has been mitigated

In the form field below, detail the extent to which the risk to the PHI has been mitigated. 

What measures have been taken to minimize damage as a result of the breach?

Reporting:

Notify the covered entity within 60 days

As a business associate, you have an obligation to notify the covered entity of the breach within 60 days of its discovery. 

Although the responsibility falls onto covered entities to notify affected individuals, they may assign their business associates, where appropriate, to inform the affected individuals. This is based on factors such as which organization deals directly with the individuals and what functions the business associate performs for the covered entity.

File the notice to the Secretary of the HHS

The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.


Link: https://ocrportal.hhs.gov/ocr/breach/breach_form.jsf

File the notice to the Secretary of the HHS (within 60 days)

Due to the fact that the breach has affected more than 500 individuals, you have 60 days to notify the Secretary.

The covered entity must submit the notice electronically by clicking on the link below and completing all of the required fields of the breach notification form.


Link: https://ocrportal.hhs.gov/ocr/breach/breach_form.jsf

Final steps:

Ensure all breach documentation is safely stored

Ensure all of the breach documentation is safely stored. 

This is critical as there may be investigations or legal proceedings in the future, for which the covered entity must be able to present documentation regarding the breach and how it was managed. 

Approval: Breach report filed

Will be submitted for approval:
  • Ensure all breach documentation is safely stored
    Will be submitted

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.