IR-07—External Communication of Incidents: Protected Health Information
>Control Description
Theme
Type
Policy/Standard
Incident Management Policy>Implementation Guidance
1. Design the process to validate whether an incident includes Personal Health information. 2. Ensure that all incidents where there has been a breach have been communicated to the covered entity within 60 days, or following the covered entity's Business Associates Agreement. 3. Ensure that within the communication all the listed information was provided to the covered entity: • description of the Event • description of the Information that was Compromised • identification of the Individuals whose PHI were Compromised • steps Required to Protect Individuals • investigation Plan • contact Information
>Testing Procedure
1. Validate all incidents have included Personal Health information. 2. Inspect whether all the incidents where there has been a breach have been communicated to the covered entity within 60 days, or following the covered entity's Business Associates Agreement. 3. Validate whether the communication was sent to the covered entity and included all the listed information: • description of the Event • description of the Information that was Compromised • identification of the Individuals whose PHI were Compromised • steps Required to Protect Individuals • investigation Plan • contact Information
>Audit Artifacts
Ask AI
Configure your API key to use AI features.