As you well know, data breaches are eminent in the health care industry today. There is extensive information that encompasses the prevention of breaches from happening in the first place, but those may not always be effective. It is not only important to know what to do to prevent a breach, but also what to do if a breach affects your organization. Even if a company does everything right, there is still the chance of a breach occurring. So, if a breach were to affect your company, there are a few vital steps that you need to know.
The official HIPAA Breach Notification Rule outlines all of the circumstances in which a breach must be reported, who is responsible for the notification, and multiple other requirements. This rule was established with The Health Insurance Portability and Accountability Act of 1996. It is important that you know the extent that the rules apply to your company, so that if a breach should happen, it is taken care of in the quickest, most effective way possible. Along with putting breach measures in place, “Organizations should also consider developing and implementing a cyber incident response plan that includes breach notification as part of a broader emergency preparedness and disaster recovery program,” according to Health IT Security.
Once a breach has been identified, there are two main components that each company must assess: a thorough risk assessment and criteria on breach notification.
Conducting a thorough risk assessment:
- Was Protected Health Information (PHI) accessed or seen in any way by an authorized person(s)?
- What kind of PHI was accessed (social security numbers, credit card information, etc.) and to what extent was it seen, manipulated, used, shared, etc.?
- Can you determine who the unauthorized person(s) that saw/used/distributed the PHI is?
- Has the risk to the safeguarding of the breached PHI been alleviated by actions of the covered entity or not? If yes, to what extent?
According to Matt Fisher, chair of Mirick O’Connell’s Health Law Group, “You have to look at those four factors and run through an analysis for each one to figure out where you stand. You then use a combination of all of those to determine if there is a low probability of compromise, which would enable a finding that no breach has occurred.”
Who should be notified and when?
- Individuals Impacted – or Potentially Impacted – by the Breach
- The Department of Health and Human Services
- The Media
Notification depends on the extent of the breach: over 500 people affected or under 500 people affected.
A breach of the magnitude of more than 500 requires that all the affected individuals be sent a notification letter within 60 days of discovery. When more than 500 people have their data exposed as a result of the breach, then the Department of Health and Human Services’ Office for Civil Rights (OCR) must be notified “without unreasonable delay,” in less than 60 days following discovery of the breach. The report should be filed online at the OCR Breach Reporting Portal. Additionally, a prominent media source located in the state of the affected individuals must be notified within 60 days following the discovery of the breach.
For a breach of 500 people or less, not as much is required of the company. The same protocol is in place for the notification of individuals but differs with The Department of Health and Human Services and the media. Notification to The Department of Health and Human Services is not required until within 60 days of the start of the new calendar year. In a breach of this size, the media does not need to be notified at all.
Not only is it important to instill security measures to limit breaches, but it is also important to have a plan in place in case they do happen. Knowing what to do to evaluate and react after a breach has occurred is vital to the reputation and longevity of any company. To learn more on how to best defend and react against breaches, join HIPAAgps today.