HIPAA in the Real World (Part 2): Breach Notification

So the first thing was I helped them to draft a letter informing both the government and the patients about the circumstances. Of course you want to be accurate but you also want to portray the circumstances in a way that shows that the organization has done the best that it could to help prevent this kind of thing from happening.

Now, we live in an electronic age, nothing is 100% secure. But it’s important to know what your compliance obligations are and to show that you’ve done a reasonably good job of trying to meet them.

So thankfully again some of the basics were in place, they were a long way from being compliant but I didn’t think that they were guilty of willful neglect either. This was a first time violation and so the hope was that all they would get would be a regulatory slap on the wrist.

Now, after drafting the breach notification letter, I made sure that they notified the patients. Another thing they had to do was to mitigate the risks of the breach. So they offered the patients two years of free identify theft protection to help them with all the consequences. Because if you’re a patient and you get a letter saying that your name, your address, your social security, the name of your minister, your treatments, everything’s been compromised, you’re going to be worried. So they had to do something to help these patients live with that fear and mitigate the consequences to the best they could.

Also, as part of their disciplinary procedures, I counseled them to discipline or sanction the employee.