Health Information Management

Ask these questions in your harm threshold risk assessment

HIM-HIPAA Insider, October 26, 2009

HHS’ interim final rule on breach notification includes a “harm threshold” provision that provides covered entities (CEs) an avenue to avoid reporting a breach to HHS. If the incident involves encrypted data compliant with HHS guidelines or if a risk assessment shows that the disclosure does not pose a significant risk to the affected individual, there is no breach.

But CEs and business associates (BAs) must follow systematic steps to reach that “no harm, no foul” conclusion. They must document their findings and have them readily available if an auditor requests them. Facilities should always conduct an informal or formal risk assessment regardless of whether the disclosure appears innocent.

John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, says your risk assessment should answer the following questions:

  • Who was involved? How many patients’ information was breached?
  • Did the perpetrator copy the information, transfer it, change it, or simply look at it?
  • When did it happen? (This is important because the 60-day breach reporting window to HHS starts when you first learn of it.)
  • Is there a financial risk to the victim, a personal risk, or both?
  • Was the motive for the breach nefarious or casual?
  • Is the risk for further harm still there?
  • What can the organization do right now to ensure no further damage occurs?
  • What has the organization learned from the disclosure?
  • How can the organization prevent this in the future?

Editor’s note: This is an excerpt from the November issue of Briefings on HIPAA, the 12-page HCPro, Inc. newsletter.

Most Popular