HIPAA Policy Section 8.4: Mitigation of Known Privacy Violations

Document Description

System shall mitigate, to the extent practicable, any known harmful effects of Uses and Disclosures in violation of the HIPAA Privacy Standards or the Manual.

8.4(1) Mitigation of Known Privacy Violations

  1. If a System official or employee learns of a Use or Disclosure of PHI by Health Care Component staff or a Business Associate that is a violation of the HIPAA Privacy Standards or this Manual or results in a harmful effect, that person shall report such violation, and any other relevant facts, to the Privacy Officer without delay.
  2. Upon learning of a Use or Disclosure that is a violation, the Privacy Officer shall determine, in his or her discretion, whether any harmful effects might result, or have resulted, from the Use or Disclosure and whether System can practicably mitigate such harmful effects. The Privacy Officer shall work with other System officials and staff, as appropriate, to mitigate, to the extent possible, any known harmful effects of the applicable Use and Disclosure of PHI.
  3. To determine proper mitigation activities, the Privacy Officer may consider (i) to whom the PHI has been Disclosed; (ii) how the PHI might be used to cause harm; and (iii) what steps could actually have a mitigating effect with respect to the particular situation. Examples of potential mitigation activities include:
    • Taking operational and procedural corrective measures to remedy violations;
    • Notifying individuals who are able and appropriate to prevent harm;
    • Recommendation of sanctions against the person responsible for the privacy violation in accordance with Section 8.5 of this Manual; and
    • Incorporating a mitigation solution into the policies and procedures compiled in this Manual in accordance with Section 9.1 of this Manual.

8.4(2) Documentation of Mitigation Efforts.

System shall document its efforts to mitigate the harmful effects of a privacy violation. Such documentation shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.530(f)

65 Fed. Reg. at 82,562-63, 82,747-48 (Dec. 28, 2000)

Details

Release Date

Responsible Office(s)

Employee Benefits

Document Type

HIPAA