HIPAA Regulatory Alert

Free tool assesses privacy risks

Frequent news stories and headlines about the Department of Health and Human Services (HHS) Office for Civil Rights' (OCR) crackdown on covered entities that have reported data breaches or other privacy rule violations increase the importance of continually assessing compliance with privacy and security rules.

A free, interactive toolkit that helps healthcare compliance, privacy, and information security officers assess and mitigate risks within their organizations is available from ID Experts, a Portland, OR-based software company.

The toolkit also offers information to help organizations prepare for OCR investigations. "The biggest challenge is that every OCR investigation is different, and the only way an organization will survive one is if it is completely aware of the potential paths of the investigator and prepared," said Rick Kam, CIPP, president and co-founder of ID Experts.  

Twelve steps that healthcare organizations can take to prepare for an OCR investigation are:

1. Assign privacy and security responsibility. Ensure accountability for patient privacy with a specifically designated privacy official in your organization.

2. Conduct an annual risk analysis. Carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.

3. Address security vulnerabilities. Implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment.

4. Train workforce. Train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement.

5. Develop policies and procedures. Develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI.

6. Prepare for privacy incidents. Develop procedures and tools for compliant investigation, analysis, and review.

7. Report incidents. Capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred.

8. Analyze incidents. Develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities.

9. Document patient notification. Develop and document your notification to individuals affected by the data breach, including all means used to ensure delivery of the notification.

10. Mitigate harm to affected individuals. Describe actions taken to mitigate the harm to individuals/patients affected by the breach.

11. Send notifications to regulators and media. Develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media.

12. Determine root cause and corrective actions. Determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions.


To access the free toolkit and checklist, go to www2.idexpertscorp.com, select "Breach Tools" from the top navigation bar. At the next page, scroll down to "OCR Survival Tool," then "Download Tool Here."