The Basics

This standard outlines the requirements for your organization when a privacy breach is discovered. The process must include:

• Recording the date your organization knew or should have known of the breach;
• Notifying the privacy and security official(s);
• Determining whether a breach actually occurred;
• Once it's determined that a breach did, in fact, occur, 
• Recording the date of the breach;
• Mitigating the cause;
• Notifying the covered entity (if you're a Business Associate) consistent with the requirements of your BAA with that entity;
• Providing any legal required notice to affected individuals;
• Providing legally required notice to the federal government (HHS); and
• Conducting evaluation and remediation after the breach.
  
  

Management Tips

Keys to making sure your organization will meet the requirements of this standard are to:

• Ensure that the entire staff is well trained on what to do with a suspected breach;
• Ensure that the staff charged with handling breaches properly documents every action taken in response to the breach;
• Ensure that everybody is trained in your P&Ps and the requirements of your BAAs.

Finally, be sure that your policy explicitly references both the privacy and the security officer in relationship to the notification requirement of element (b).

Accreditation Tips

Desktop Review
You'll need to submit the policies and procedures that cover breaches of security and privacy, making sure they address all elements of this standard.
Validation Review
Interviews
The reviewer will assess compliance with this standard via interviews with the senior clinician, the compliance officer(s), relevant staff in customer service, UM, and QM, and any other supervisory personnel involved in breach issues.
Document review
The reviewer, using a log of privacy breaches, select some breaches from that log and examine the documentation of how your organization handled those breaches.