HIPAA Violation or Breach
ScanSTAT Technologies places extreme emphasis on patient privacy and HIPAA compliance. As technology allows for the increasing automation of oﬃce workﬂows, it is important to remember that the transmission of sensitive information continues to be highly dependent on the expertise and discretion of healthcare data experts to guarantee that communication is accurate and compliant. When a rare unauthorized disclosure of protected health information (PHI) occurs, the ScanSTAT Compliance Team investigates the incident and follows a mitigation protocol in accordance with HIPAA standards. Ultimately, ScanSTAT best practices are working, as evidenced by our continually high annual accuracy rate of 99.97%.
Unauthorized Disclosures Investigation Protocol
Unauthorized disclosures typically fall into two categories, a breach or a violation. Occasionally an incident will present itself as a possible unauthorized disclosure, but on further investigation, it is considered not applicable to either the breach or violation definitions. When ScanSTAT is alerted to a possible unauthorized disclosure situation, we initiate the following protocol until we are able to classify the situation as a breach, violation, or non-applicable incident.
- The ScanSTAT team member alerted to the incident gathers all pertinent and required information regarding the possible unauthorized disclosure.
- From the time of the discovery, the ScanSTAT team member must notify our Compliance Team, as well as the appropriate supervisors, within two hours.
- After the ScanSTAT Compliance Team is notified, they investigate the incident including a thorough point by point audit of procedures.
- The ScanSTAT Compliance Team notifies the clinic of the incident within two business days.
- Involved ScanSTAT managers and supervisors are notified of the incident and the possible errors resulting in the disclosure. They then retrain involved staff members.
- The ScanSTAT Compliance Team executes risk mitigation efforts, including reaching out to an unauthorized recipient (who is not a Covered Entity) to obtain an executed confidentiality statement to prevent redisclosure.
- Per HIPAA guidelines, the ScanSTAT Compliance Team completes a risk assessment, including:
- The nature and extend of the PHI involved and the likelihood of identification
- The unauthorized person to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
- The ScanSTAT Compliance Team completes all investigations within a maximum of 60 days (or outer limit determined by state-specific law when applicable) and prepares a reporting package summarizing the investigation, and recommends the situation to be classified as either a breach, violation or non-applicable incident
- The ScanSTAT Compliance Team and the involved clinic will determine if the involved patient will or will not be notiﬁed of the incident based on the results of the risk assessment and incident classification, and if necessary, who will notify the patient, along with complete any other state-specific protocols
- Following the completion of the calendar year, the ScanSTAT Compliance Team will contact any clinic with an incident classified as breach to determine if ScanSTAT as the Business Associate will report the incident to the Office of Civil Rights (OCR), or if the clinic as the Covered Entity
ScanSTAT Technologies is continually monitoring, understanding, and following the ever-evolving regulatory standards which govern our business processes. Should you have questions regarding this process, please contact our Compliance Manager.