Lessons learned

Lessons Learned Article Series " Breaches Risks Outages Part 2

All it takes is typing one additional letter or one additional number to send an email to the wrong recipient. For example, Johh.doe@emailprovider.com may be a different person than john.doe1@emailprovider.com. Also, many email programs come preset with auto-fill features where you begin typing an email address and the program remembers any previous email address that start with those same letters or characters. This auto-fill feature has led to many accidental emails being sent to the wrong recipient.

If patient information is sent to the incorrect person, or a message is intercepted, it could be a breach under HIPAA and possibly, state laws.

Prepare for the unexpected

In our previous article, we discussed the use of a disclaimer notifying the recipient of the insecurity of electronic communications, and provided instructions in case of a misdirected message.In addition to a disclaimer, there are other steps you can take.

  1. Have patients sign an agreement that they have agreed to receive electronic communications, such as email or facsimile.
  2. Include in the signed agreement an explanation of potential risks to patients.State that their information could be intercepted or received by the wrong party, to ensure patients understand the risks and still agree to receive electronic communications.

Further, as a result of HIPAA Omnibus Rule, covered entities must assess the probability that protected health information has been compromised based on a risk assessment that considers at least the following four factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
  2. The unauthorized person who used the protected health information or to whom the disclosure was made.
  3. Whether the protected health information was actually acquired or viewed.
  4. The extent to which the risk to the protected health information has been mitigated.

What if you breach an individual's PHI?

If you determine that a breach has, in fact, occurred, you must notify the affected individual(s) in writing of the breach.It is appropriate and expected to notify an individual if it is suspected their PHI has been viewed, intercepted or received by unauthorized recipients.

The HITECH Act provides for both actual written notice to affected individuals, as well as substitute notice to affected individuals if contact information is insufficient or out-of-date.The statute requires breach notifications to be sent by first-class mail at the last known address of the individual or next of kin if the individual is deceased, or by electronic mail if specified as the preferred method by the individual.

It is extremely important to make sure you have the correct mailing address and correct email address, including the correct spelling.

What needs to be provided when notifying an individual of a breach?

Using Omnibus as a guide, the following are required to be included in a breach notification:

  1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  2. A description of the types of unsecured protected health information that were involved in the breach.
  3. Any steps individuals should take to protect themselves from potential harm resulting from the breach.
  4. A brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches.
  5. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.

#LessonsLearned identify, mitigate and document

Remember the covered entity who agreed to pay $218,400 and to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program? An important lesson learned in this settlement is in the event of a breach large or small it is extremely important to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

What if the covered entity had proactively identified deficiencies in its HIPAA compliance program? Could have they prevented these incidents by mitigating these deficiencies? Keep these questions in mind while reading the next section.

Security Risk Analysis and Risk Management

A security risk analysis can be thought of as a seat belt for an organization.Properly used seat belts provide safety for drivers and passengers from the risks of an accident.A security risk analysis used properly is essential to safely protect patients' ePHI, due to the risk of a breach.

A security risk analysis and security risk management have common steps.It is important to review the existing security infrastructure, identify potential threats to patient privacy and security, and assess the impact on the confidentiality, integrity, and availability of your ePHI.Risks should be prioritized based on the severity of their impact.

The risk analysis should be used to create an action plan.The action plan should have five components: (1) administrative safeguards; (2) physical safeguards; (3) technical safeguards; (4) policies and procedures; and (5) organizational standards.Once the plan is created, you should begin implementing the plan.

Risk management includes managing and mitigating risks with up-to-date policies and procedures, workforce education and training, communicating with patients, and last but not least, updating your business associate agreements.

The risks of a breach are real.A breach can be costly to any organization. Effectively creating a plan and managing the plan is essential to adequately protect health information, and to provide protection for your organization.


According to OCR Director Jocelyn Samuels "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure incidents are reported and mitigated in a timely manner."

We are here to help. Please make sure to contact us so we can help you with any or all of these processes.

If you have any questions about this #LessonsLearned article series, please feel free to comment below or send us an email at support@healthcarecompliancepros.com or reach us by phone toll-free at 855-427-0427.