Health Plan (7.4) 7.4

P-OPS 12 - Breach Handling

Submited by: Tom Goddard

The Basics

This standard outlines the requirements for your organization when a privacy breach is discovered. The process must include:

  • Recording the date your organization knew or should have known of the breach;
  • Notifying the privacy and security official(s);
  • Determining whether a breach actually occurred;
  • Once it's determined that a breach did, in fact, occur, 
    • Recording the date of the breach;
    • Mitigating the cause;
    • Notifying the covered entity (if you're a Business Associate) consistent with the requirements of your BAA with that entity;
    • Providing any legal required notice to affected individuals;
    • Providing legally required notice to the federal government (HHS); and
    • Conducting evaluation and remediation after the breach.

Management Tips

Keys to making sure your organization will meet the requirements of this standard are to:

  • Ensure that the entire staff is well trained on what to do with a suspected breach;
  • Ensure that the staff charged with handling breaches properly documents every action taken in response to the breach;
  • Ensure that everybody is trained in your P&Ps and the requirements of your BAAs.
Finally, be sure that your policy explicitly references both the privacy and the security officer in relationship to the notification requirement of element (b).

Accreditation Tips

Desktop Review
You'll need to submit the policies and procedures that cover breaches of security and privacy, making sure they address all elements of this standard.
Validation Review
Interviews
The reviewer will assess compliance with this standard via interviews with the senior clinician, the compliance officer(s), relevant staff in customer service, UM, and QM, and any other supervisory personnel involved in breach issues.
Document review
The reviewer, using a log of privacy breaches, select some breaches from that log and examine the documentation of how your organization handled those breaches.

  • Health Plan (7.4) 7.4 / 02.19.2021

    P-OPS 12 - Breach Handling

    This standard outlines the requirements for your organization when a privacy breach is discovered. The process must include:Recording the date your organization knew or should have known of the breach;Notifying the privacy and security official(s);Determining whether a breach actually occurred;Once it's determined that a breach did, in fact, occur, Recording the date of the breach;Mitigating the c...

    READ FULL POST
  • Health Plan (7.4) 7.4 / 02.19.2021

    P-OPS 11 - Oversight of Automated Review of Pharmacy Non-Certifications

    If your organization conducts automated review in connection with drug management, you must have written P&Ps that describe the oversight mechanism for such automated review. That oversight must be conducted by both a senior clinician and a clinical oversight body. That oversight body can be, but need not be, the P&T Committee.The oversight of automated review must be active and well-documented. O...

    READ FULL POST
  • Health Plan (7.4) 7.4 / 02.19.2021

    P-OPS 10 - Economic Formulary Considerations

    In order to assure that cost issues do not supercede clinical issues, this standard prohibits consideration of economic factors of a medication before its safety efficacy, therapeutic appropriateness, and side effects have been established. Once those issues have been considered, it is appropriate to evaluate equivalent alternative medications and therapies in terms of their impact on health costs...

    READ FULL POST
Top