HIPAA…. We all know everything there is to know about HIPAA, right??
…… Wrong.
One aspect of HIPAA that gets almost all the attention is how to prevent breaches of private healthcare information. If your specialty pharmacy is accredited, you have been through a bunch of orientations pounding the requirements into your brain.
But, how many orientations have you survived that focus on what to do after a breach of private information? We’ve provided a link to a good, but lengthy, article for your reading pleasure….. Ensuring Transparency: Language to Avoid in HIPAA Breach Notifications. The article is well worth a read if you are a specialty pharmacy professional….. for HIPAA compliance officers this should be a must read.
The author correctly states, “Breach notifications [to patients following a breach] often contain wishy-washy wording… while it may meet the minimum legal requirements, it doesn’t really tell people what actually happened to their personal information.”
In terms of transparency when it comes to HIPAA, notifications must include a brief description of the breach, types of information involved, steps affected patients should take to protect against potential harm, and what the covered entity is doing to both investigate the breach – and to prevent future incidents. Notices must also include contact information.
Health care providers should also be aware that HIPAA is not the only regulation that should govern their response to a security incident. States, federal regulations, and even foreign laws like the General Data Protection Regulation, may also govern the appropriate response.
So, is that it? Oh, no it is not.
The primary requirement in the aftermath of a breach is to be transparent in the notice to impacted patients. The secondary requirement is to know what language to avoid when making those communications.
Here are some highlights—-
avoid language that creates more uncertainty or anxiety
focus on what is known, not what is unknown , do not engage in speculation
avoid unsubstantiated facts….. but state (when pertinent) that certain facts may not known or are being withheld for security, legal or other reasons and provide supplemental notifications when more facts are known and can be shared
avoid deflecting blame for the incident by accepting qualified responsibility
don’t attempt to place the blame on another entity, such as the threat actor or a third-party vendor.
The article finishes with a section on best practices.
