We’re all learning a great deal from the  early enforcement of the Breach Notification Interim Final Rule (IFR)…. Are you aware of the “§ 164.414  Administrative requirements and burden of proof” requirements?  The IFR reads as follows:

§ 164.414

(a) Administrative requirements. A covered entity is required to comply with the administrative requirements of §164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart.

(b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at §164.402.

According to the HHS web site,

Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.  This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification.  For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.

What does all this mean?  Like most other HIPAA-HITECH areas, among other things, you need:

  1. Documented polices and procedures
  2. A training and awareness program
  3. A security incident response, reporting and management system
  4. A formal, consistent, repeatable “triage” process to determine if a security incident constitutes a breach
  5. If applicable, documented evidence that all appropriate notifications have been made
  6. A sanction policy in the event members of the workforce do not comply with your policies and procedures

Wanna be hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on HIPAA Security and Privacy reminders or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< Breach Notification Planning Tips – Key Lessons Learned

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.