There have been many articles written about the need to investigate a potential breach, and establish what happened, how it happened and do a thorough job in getting as complete as possible, the names of all individual affected by the breach so that notification can take place. What you don't want to do is forget the breach notification rule that states that for a breach of any size, patients must be notified "without unreasonable delay, but in no case longer than 60 days." Certainly, there are a few exceptions like law enforcement delay and other rare situations, but the rule is clear.
The fine is significant enough, but remember that along with the OCR fine, generally comes a corrective action plan (CAP). In this particular case, there was a requirement to revise existing policies and procedures related to the Breach Notification rule. Training materials would also need to be updated and provided to appropriate workforce members with documentation of the date the training was provided. Evidence of compliance with the CAP is always required.
A couple of key takeaways include noting that the OCR will investigate all breaches and that it generally takes a good bit of time for the OCR to make their determination based on information requested and provided. The fine, if infractions are identified will follow and the CAP will take resources and an investment on the facility's part. Breaches and their impact are significant and the financial costs associated with them run deep.
Read the full article here
