In a recent session I conducted on the Omnibus Rule, I was answering questions from the audience. I tend to add humor to my sessions as much as possible. HIPAA isn’t a topic especially worthy of attentiveness on Saturday morning at 9am. The question was about how do you handle a breach you need to report but you are afraid you will “get yelled at” for making the report because their boss will “freak out”.
It is key to your breach plan that everyone understands the time limits involved in HIPAA breach reporting requirements. No one wants to do anything wrong or especially get in “trouble”. It is just human nature to protect ourselves and those we care about from any perceived harm. But, an incident that may indeed be a serious breach is NOT the time to keep a deep dark secret thinking it is the best protection for everyone.
Your culture of compliance and training plans should stress the importance of timely notifications. It is also important to stress what are appropriate responses and the method in which sanctions will be applied.
No need to pull a Gomer yelling “Citizen’s arr-ay-est!, citizen’s arr-ay-est!, citizen’s arr-ay-est!”.
Follow Barney’s advice and “Nip it! Nip it in the bud!”
Imagine this situation.
A clinical technician uses a laptop in a remote office once a week. When it is time to get the laptop to take to the new office this week, she can’t find it at the office. She checks her car and she checks at home. No laptop can be found. She goes to the remote office and acts as though she forgot to bring it. It could happen.
Every day that week she stresses out about not saying anything and not knowing where the laptop could be. She has freaked herself out so much by the second week of saying nothing she can’t concentrate. Finally, she brings it up to her co-worker. They both freak out for a few more days discussing it between themselves before it is time to go to the remote office again. Finally, they decide to take it to their supervisor.
The supervisor alerts the Security Officer and the Breach plans are initiated to investigate what happened. At this point, it has been three weeks since the incident happened. A lot of people are going to have to get involved to determine what notifications, if any, need to be made. The time frame for notifying patients has been reduced 3 full weeks because the staff member knew of the breach but didn’t notify anyone.
If the staff member had just stopped freaking out alone when the laptop couldn’t be found and gotten her supervisor or a compliance officer involved right away, she could have avoided the stress of keeping it quiet. Yes, there may be a real problem that is going to cause everyone to “freak out”. But, with these breach notification timelines it really means we should all freak out together, not any of us by ourselves. Just think of it like this: “The law says we should all freak out together, not by ourselves or in a small group.”
Review this issue with your staff as part of your training. It can’t hurt and hopefully will help everyone see it is much better to act sooner rather than later. Remember, though, it is important to not reprimand anyone for simply reporting a breach or you will immediately be setting yourself back. “Freak out together” means everyone, together not AT each other.
A proper investigation can determine sanctions or other disciplinary actions that may apply. They shouldn’t be handled in the heat of the moment when people tend to” freak out” but instead after the investigation is done and there is confirmation of what has actually occurred. It is never a good idea to have staff afraid to report something because they “might get yelled at” by their supervisors. No one wins and everyone has a harder job.