Mitigation

§164.530(f) Standard: Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.

Audit Inquiry

Does the covered entity mitigate any harmful effect that is known to the covered entity of a use or disclosure of PHI by the covered entity or its business associates, in violation of its policies and procedures?

Obtain and review policies and procedures in place for consistency with the established performance criterion. Determine whether a process is in place to ensure mitigation actions are taken pursuant to the policies and procedures.

From a population of instances of non-compliance within the audit period, obtain and review documentation to determine whether mitigation plans were developed and applied pursuant to the policies and procedures. [Note: OCR is not looking for violations in order to take enforcement action; we are restricting our analysis to whether appropriate mitigation plans consistent with the entity policies have been developed and applied]

Obtain and review documentation that the policies and procedures are conveyed to the workforce.