FacebookTwitterLinkedInEmailPrint
This entry is part 7 of 7 in the series Breach Planning Tips

We’re all learning a great deal from the  early enforcement of the Breach Notification Interim Final Rule (IFR)…. Are you aware of the “§ 164.414  Administrative requirements and burden of proof” requirements?  The IFR reads as follows:

§ 164.414

(a) Administrative requirements. A covered entity is required to comply with the administrative requirements of §164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart.

(b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at §164.402.

According to the HHS web site,

Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.  This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification.  For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.

What does all this mean?  Like most other HIPAA-HITECH areas, among other things, you need:

  1. Documented polices and procedures
  2. A training and awareness program
  3. A security incident response, reporting and management system
  4. A formal, consistent, repeatable “triage” process to determine if a security incident constitutes a breach
  5. If applicable, documented evidence that all appropriate notifications have been made
  6. A sanction policy in the event members of the workforce do not comply with your policies and procedures

Wanna be hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on HIPAA Security and Privacy reminders or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< Breach Notification Planning Tips – Key Lessons Learned

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.
 
FacebookTwitterLinkedInEmailPrint