Riptide checking in...starting to warm up finally in New Jersey.
My list for today...
Scot Lovejoy RPh. CHC CHPC
Chief Pharmacy Officer
9 Campus Drive, 2nd Floor East
Parisippany, N.J. 07054
(O) 973-540-8400 x227
Confidentiality Notice: This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure. If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system. Thank you.
No copyright infringement intended.
7 Elements/17 Sub-Elements
SongBird Checking in.
Lloyd, I am glad you (and your neighbors) are safe!
I have been working on Breach Policies, so here's how I memorize my 164.4xx's list:
Here's my question for the day:
The "burden of proof" language (164.416) reads that the CE has the burden of demonstrating that all notifications were made as required....or that the use/disclose did not constitute a breach.
We received guidance from a consultant firm that my breach policy should have a procedure that is a work flow (flow chart) and has an objective calculator to determine if an incident meets definition of breach. I am finding that I am spending an inordinate amount of time trying to create something that I already know and do... I have a form I complete/document that goes through all the definitions, exceptions and mitigation... It doesn't have a "calculator" -
My policy reads pretty much like the rule reads- but I don't have procedures WRITTEN because truthfully, I'm the only one who DOES the analysis (with oversight by my compliance committee).
I feel like I'm lost in the weeds.
Can anyone help me see my way out?
Thanks in advance.
Marcia A. Rasch, PhD, CHC Compliance Officer HealthSource of Ohio 424 Wards Corner Road Suite 200 Loveland, OH 45140 PH: 513-707-4021 Fax: 513-707-5676 email@example.com www.healthsourceofohio.org
I'll take another shot – I'll relook at my form, and just dump my process out of my head onto a written procedure!
I welcome everyone's C & C!
Have a great day!
2 A 4 D 6 S 8 A 10 P 12 T 14 O 16 P 18 C
0 A – 400 - Applicability 2 D – 402 - Definitions 4 N – Notification to individuals 6 N – Notifications to the media 8 N – Notification to the secretary 10 N – Notification by a business associate 12 L – Law enforcement delay 14 A – Administration requirements and burden of proof
Marcia and Frank,
This brings up another scenario question in my mind.
If you have a CE, that CE has a BA, and that BA has a subcontractor. The subcontractor to the BA informs the BA that they have had a computer misplaced and possibly stolen. They are not sure if it had any PHI from the CE on it. The BA informs the CE Compliance Director of the incident. After the Compliance Director and the BA determines there was PHI on the laptop, and determine there is less than 500 individuals PHI involved. What would the Compliance Officer do next?
1 - Would the Compliance Officer tell the BA they have to send out the notices?
2 - Would the CE send out the breach notices?
3 - Would the Sub contractor send out the breach notices?
I would love to hear some input?
Vicky Roe, RN CHC CPMA
Southeast Georgia Health System, Inc.
2415 Parkwood Drive, Brunswick, GA 31520
Office: (912) 466-3264 Fax: (912) 466-7044 Email: firstname.lastname@example.org
This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately. "noscramble" means the email is being sent unencrypted
Oh yeah...I like these...hopefully we get some C&C!1 - Would the Compliance Officer tell the BA they have to send out the notices?The question of "who" will actually send out the notices is likely going to be a case by case decision. When considering these questions, remember that in the end, though you can find many blogs and web postings that can be confusing...the regs clearly state that CE or BA, as applicable will have the burden of demonstrating that the notifications were done. So this is a classic case where the answer "it depends" applies very well and reasonably. Also, there may be obligations in the BAA or service contract that if the BA is responsible for the breach, the BA is also responsible for completing the required notifications to the individuals...for example. There really is no ONE answer...several possibilities.
2 - Would the CE send out the breach notices?That is one option.
3 - Would the Sub contractor send out the breach notices?That is the other optionI'll add another funky curve ball...you could even have the CE...and...BA send out notices. Again...case by case. I've seen this done as well.
I love these too!
I agree with Frank- "it depends"-
It depends on the language in the BAA/contract agreement with the BA (does it state expectations?)
It depends how the BA wrote the subcontractor agreement...
It depends on how "reliable" the BA is.
The other potentially "negotiable" area is WHO will pay for the credit monitoring (if required) and any additional expenses that may be included in the notifications.
I believe that ultimately, it's the CE who needs to make sure they get DONE – but doesn't mean the CE has to do it!
However, one tactic the CE would consider- the level of cooperation by the BA would likely influence if the CE will CONTINUE the relationship with the BA – or does the CE go find a different, more reliable vendor!
On the other hand...at least they TOLD the CE it occurred! That's a giant step for some BA's!
How's that for C & C?
Ok...think about this...
If you had to choose the best answer, and you have no idea what the contract says. Your choices are:
1. The CE tells the BA they have to send out the Breach Notifications
2. The sub-contractor is the one responsible to send out the breach notices.
3. The CE sends out the breach notices
4. The CE tells the BA to cancel the contract with the sub-contractor
I'd have chosen option 1 -until I'm looking at the rule today.
In the past, I (The CE) has worked with the BA to send out the Breach notices, but the CE gets a full report on total number sent, return receipts, etc. and has full oversight/input to conclusion. The CE reports to OCR at end of year.
HOWEVER- since I am neck deep into the rule - here's what 164.410c.2. says (line 2019 of Franks version):
2. A BA shall provide the CE with any other available information that the CE is required to include in notification to the individual under 164.404©(the letter) at the time of the notification required by paragraph (a) of this section....
The rule just says the BA shall notify the CE!! So, I guess I back pedal!
Good thing I'm still writing my policy
Thank you for making me re-think this! I went back and read the regs again, and you are right, there is no mention of the BA having any responsibility to send out the breach letters. They only have to give the CE "any available information that the covered entity is required to include in notification to the individual under 164.404 c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available."
I learned something today!
In this sample Business Associate Agreement provided by HHS it states this, which seems to say that Business Associate could be the one to notify:
Thank you for sharing the sample agreement. I am reading it as Marcia said earlier, that according to your specific contract, that you could have it built in that the BA has to do the Breach Notifications. However, according to the regulations, I don't see there is specific wording that the BA's are responsible for sending out the breach notifications. The CE is ultimately responsible to make sure the notifications go out.
I love this C & C. I feel I really learned something today.
Yes our Attorney says she wants all BAAs to include their obligation to the extent possible.
But sometimes, it's not possible!
That language just makes me think, we need to understand the PURPOSE or SPIRIT of the rule, instead of trying to comply with just the language of the rule.
I think that may I get hung up at times..when my OCD takes over
Thanks for the great discussion today!
SongBird signing off!
I just finished my draft of procedure.
I think I had a "hangover" from Pre-HITECH.
BTW- I LOVE Frank's version of the HIPAA rules!
THANK YOU FRANK!