IR-07—External Communication of Incidents: Protected Health Information

>Control Description

Organization communicates the discovery and status of the breach of Protected Health Information (PHI) to the covered entity within 60 days or as required by the Business Associates Agreement (BAA) and provides the following information if available: • description of the Event • description of the Information that was compromised • identification of the Individuals whose PHI were compromised • steps Required to Protect Individuals • investigation Plan • contact Information

Theme

Process

Type

Preventive

Policy/Standard

Incident Management Policy

>Implementation Guidance

1. Design the process to validate whether an incident includes Personal Health information. 2. Ensure that all incidents where there has been a breach have been communicated to the covered entity within 60 days, or following the covered entity's Business Associates Agreement. 3. Ensure that within the communication all the listed information was provided to the covered entity: • description of the Event • description of the Information that was Compromised • identification of the Individuals whose PHI were Compromised • steps Required to Protect Individuals • investigation Plan • contact Information

>Testing Procedure

1. Validate all incidents have included Personal Health information. 2. Inspect whether all the incidents where there has been a breach have been communicated to the covered entity within 60 days, or following the covered entity's Business Associates Agreement. 3. Validate whether the communication was sent to the covered entity and included all the listed information: • description of the Event • description of the Information that was Compromised • identification of the Individuals whose PHI were Compromised • steps Required to Protect Individuals • investigation Plan • contact Information

>Audit Artifacts

E-IR-10

E-IR-11

Ask AI

Configure your API key to use AI features.