HIPAA Privacy - Mitigation 164.530(f)

Overview:
§164.530(f)
Standard: Mitigation.
A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.

Action Items:
1) Obtain and review policies and procedures in place for consistency with the established performance criterion. Determine whether a process is in place to ensure mitigation actions are taken pursuant to the policies and procedures.
2) From a population of instances of non-compliance within the audit period, obtain and review documentation to determine whether mitigation plans were developed and applied pursuant to the policies and procedures. [Note: OCR is not looking for violations in order to take enforcement action; we are restricting our analysis to whether appropriate mitigation plans consistent with the entity policies have been developed and applied]
3) Obtain and review documentation that the policies and procedures are conveyed to the workforce.

Related Documents:
1) Policies and procedures in place for consistency with the established performance criterion.
2) Population of instances of non-compliance within the audit period
3) Documentation to determine whether mitigation plans were developed and applied pursuant to the policies and procedures.
4) Documentation that the policies and procedures are conveyed to the workforce.

Additional Guidance:
A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.