DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the Privacy Rule requirement to mitigate, to the extent practicable, harmful effects of PHI uses and disclosures.
What is the Privacy Rule Mitigation Requirement?
Per the Privacy Rule at 45 CFR 163.530(f), a covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of the Privacy Rule by the covered entity or its business associate.
As part of this mitigation requirement, covered entities should take measures such as:
1. Ensuring that mitigation plans are developed, implemented, and applied in accordance with the covered entity's policies and procedures.
2. In response to a report of or information about a workforce member’s or business associate’s unauthorized use or disclosure of PHI, acting promptly to reduce any known or reasonably anticipated harmful effects from the disclosure.
In an electronic environment, specific mitigation measures may include:
1. Identifying the cause of the a violation and amending privacy policies and technical procedures, as necessary, to prevent recurrence.
2. Contacting the network administrator, as well as other potentially affected entities, to try to retrieve or otherwise limit the further distribution of improperly disclosed information.
3. Notifying individuals of a violation if an individual needs to take self-protective measures to ameliorate or avoid the harm, as in the case of potential identity theft
The HIPAA Breach Notification Rule also contains a mitigation requirement. When there has been a breach of unsecured PHI, the required notification to be sent to individuals must include (among other things):
1. Any steps individuals should take to protect themselves from potential harm resulting from the breach.
Individuals may protect themselves through measures such as enrolling in credit monitoring and placing a fraud alert with the three major credit bureaus; monitoring account statements, EOBs, and credit bureau reports closely; contacting their state's Consumer Protection Agency; and, if they have information that their PHI has been compromised, notifying law enforcement to assist in the investigation (this can include contacting and/or filing a report with local law enforcement, the state attorney general office, and the Federal Trade Commission).
2. A brief description of what a covered entity or business associate is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
Measures covered entities and business associates can take to mitigate harm to individuals include
initiating a forensics security investigation; filing a police report; initiating a criminal investigation; imposing appropriate workforce sanctions; addressing operational or technology updates or changs triggered by an incident to improve confidentiality, such as strengthening technology safeguards or administrative policies and procedures; and, if appropriate, cancelling a business associate contract.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article