Health Plan (7.4) 7.4
P-OPS 12 - Breach Handling
This standard outlines the requirements for your organization when a privacy breach is discovered. The process must include:
- Recording the date your organization knew or should have known of the breach;
- Notifying the privacy and security official(s);
- Determining whether a breach actually occurred;
- Once it's determined that a breach did, in fact, occur,
- Recording the date of the breach;
- Mitigating the cause;
- Notifying the covered entity (if you're a Business Associate) consistent with the requirements of your BAA with that entity;
- Providing any legal required notice to affected individuals;
- Providing legally required notice to the federal government (HHS); and
- Conducting evaluation and remediation after the breach.
Keys to making sure your organization will meet the requirements of this standard are to:
- Ensure that the entire staff is well trained on what to do with a suspected breach;
- Ensure that the staff charged with handling breaches properly documents every action taken in response to the breach;
- Ensure that everybody is trained in your P&Ps and the requirements of your BAAs.
You'll need to submit the policies and procedures that cover breaches of security and privacy, making sure they address all elements of this standard.
The reviewer will assess compliance with this standard via interviews with the senior clinician, the compliance officer(s), relevant staff in customer service, UM, and QM, and any other supervisory personnel involved in breach issues.
The reviewer, using a log of privacy breaches, select some breaches from that log and examine the documentation of how your organization handled those breaches.