You are the new HIPAA Privacy Officer at a local clinic in Duluth, MN. The previous privacy officer was very organized and ran a great HIPAA Privacy Compliance Program. Your first week on the job, you were analyzing old data breaches looking for trends or commonalities between the breaches. You noticed that only the following information was being collected during the Data Breach Risk Assessment Process:
Date of the Data Breach
Date of the Discovery of the Data Breach
What information was breached
Who breached the information (internally)
Short description of the breach
What was done to reduce another breach from happening
Any workforce disciplines that resulted from the breach
Based on your previous role, you knew that there were additional data elements that should be collected during the breach risk assessment process. You have been asked to create a new breach risk assessment form to make sure the clinic is collecting all the necessary information to comply with the regulation and report a data breach.
Assignment Requirements
Analyze the Data Breach Risk Assessment Requirements below:
https://www.hhs.gov/hipaa/for-professionals/breach-notification/
https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-securityguide.pdf (Chapter 7, page 56)
Analyze the HIPAA Audit Protocol to determine what information needs to be collected on the breach risk assessment - 164.402 Section (it helps if you use the find functionality and search "Risk Assessment.")
https://www.hhs.gov/hipaa/for-professionals/complianceenforcement/audit/protocol/
Review the information that is reported on the HHS Breach Notification Report (hint: all the elements on this reported are information that must be reported)
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Compare the current information that is being collected to discover what information is missing from the current data collection process of the HIPAA Breach Notification Risk Assessment