If a HIPAA violation occurs, HIPAA Help Center’s Incident Response Tool provides users with reactionary steps to correct problems and preventative measures to stop the incident from occurring again. Through this module, users can appropriately address the incident by reviewing the problem and applying sanctions where applicable.
With the growing reliance on technology in the ever-changing world of medicine, HIPAA compliance can be challenging. Violations can happen, and when they do, it is crucial for covered entities to be prepared. HIPAA requires health care providers to report all known or suspected violations. This is where the Incident Response Tool comes into play.
Within this module, covered entities can effectively report an incident right from the dashboard. The module prompts the recording of specific details, such as the type of protected health information or breached assets involved. Once the health care provider reports the incident, the response can begin.
The seven-step process guides users through a quick and effective response to the situation.
- Evaluate: The evaluate step provides an overview of the report. At this point, application users can either dismiss the incident or start to investigate.
- Investigate: In the investigation step, health care providers answer pertinent incident-related questions, such as how many people were affected, whether the incident violated a HIPAA policy and if a crime should be reported to local authorities.
- Assess: This step poses a series of assessment questions. The health care providers’ responses to those questions determine a risk meter score.
- Remediation: After establishing the severity of the situation, covered entities outline the steps they are taking to respond to the incident and prevent similar occurrences.
- Sanction: Through a series of questions, HIPAA Help Center will aid health care providers in deciding the necessary sanctions that should be enforced for the violation, such as a verbal reprimand or retraining.
- Notification: HIPAA Help Center provides application users with a Notification to Individuals template that health care providers can customize to notify affected individuals. The notification step also directs covered entities on how to inform the U.S. Department of Health and Human Services.
- Summarize: After the application users select notification dates, they answer open-ended questions regarding the effectiveness of the incident response.
Frequently asked questions about responding to HIPAA violations:
If a covered entity corrects the problem, can the HHS Secretary still charge a fee?
The HHS Secretary cannot demand civil penalties, such as fees, if the covered entity resolves the incident within 30 days, though the HHS can extend that deadline in some situations. Therefore, it is crucial for covered entities to amend violations and make the proper adjustments in a timely manner with the Incident Response Tool.
How can covered entities demonstrate to the HHS that they have followed through with emendation?
The Incident Response Tool allows users to provide a summary of the emendation and even upload documents that coincide with the resolution. HIPAA Help Center application as a whole can help covered entities show auditors they have fulfilled obligations. For example, if the HHS required the covered entity to retrain workforce members on compliance, the assignment and tracking features of the Training module can showcase that obligation.