The interim final breach notification rule, now in effect, requires Covered Entities to notify individuals whose Protected Health Information (PHI) has been impermissably disclosed . Your plan should include consideration of notification letters to individuals … now! Here’s our advice about the details that are essential to include in letters to affected patients, as well as notices posted on websites, to help rebuild trust… We recommend these four key considerations as you develop notification letters to individuals:
- Understand the guidelines (both the Federal and the state guidelines) and how they differ and what exactly is required of you in the affected jurisdictions; this may mean you need to work with a vendor that is experienced in these matters.
- Come clean, early and fully. Unlike wine, bad news doesn’t age well. The IFR requires: a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the Covered Entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the Covered Entity.
- Clearly provide for and offer assistance for individuals to contact the three major credit reporting agencies (Experian | Equifax | TransUnion) on how to get a free copy of their credit report. Offer credit monitoring assistance etc should be offered.
- Above all, make it very easy for affected individuals to reach you or your agent for help.
- Read more on HealthInfoSecurity.com: Data Breach Planning Notification Tips – How to Avoid Creating Unnecessary Risk …
- Download the 15-minute Podcast
- Join our new AboutHIPAA LinkedIn Group – http://abouthipaali.org/
See our list of upcoming live webinars, or check out our on-demand webinars with resources you may have missed.