News Feature | June 4, 2014

AHIMA Provides Breach Management Toolkit

By Megan Williams, contributing writer

AHIMA Breach Management Toolkit

Healthcare has been teeming with warnings about gaps in information security, and knowledgeable professionals, both inside and outside of the industry, have responded with advice, guidelines, and general recommendations on how organizations can best protect themselves. Last month, though, the American Health Information Management Association (AHIMA) released its Breach Management Toolkit — a document that goes beyond their previously issued recommendations on audits, and walks readers through the requirements of a breach notification letter.

The primary purpose of the toolkit is to provide a place where a comprehensive collection of resources and best practices are available to HIM professionals. The toolkit is ultimately intended for use as a framework and reference guide in breach investigation, determination, mitigation, notification, reporting processes, and in providing help in understanding and complying with federal regulations around data breaches.

An Excerpt From The Toolkit

For example, an excerpt from the toolkit provides guidance on what to include in a data breach notification letter:

The breach notification letter must contain five required elements addressed in a customized manner according to the situational circumstances and consisting of:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known

2. A description of the types of unsecured PHI (protected health information) that were involved in the breach (i.e., full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code)

3. Any steps individuals should take to protect themselves from potential harm resulting from the breach

4. A brief description of what the organization is doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches

5. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website, or postal address, If appropriate. The organization may include other customized information, including:

  • Information about steps the organization is taking to prevent future similar breaches
  • Information about sanctions the organization imposed on workforce members involved in the breach; Identity of workforce members should be on a need-to-know basis according to organizational policy
  • Consumer advice directing the individual to review account statements and monitor credit reports
  • Recommendations that the individual place a fraud alert on their credit card accounts, or contact a credit bureau to obtain credit monitoring services, if appropriate
  • Contact information for credit reporting agencies, including the information needed for reports for criminal investigation and law enforcement
  • Contact information for national consumer reporting agencies

Going Deeper

A sample notification (created by AHIMA), in reaction to a situation in which a temporary worker misused customer data (the breach required notification of the Maryland Attorney General’s office) is available for viewing here. The toolkit itself is available to all AHIMA members here.