[BreachExchange] How to perform a data breach notification

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 5 18:18:50 EDT 2016


http://www.chiroeco.com/ehr-data-breaches-and-the-hipaa-notification-rule/81717/

While no office wants to an experience EHR data breaches, they do happen
and your clinic should be prepared with a notification plan.

Focusing on prevention will help your office look for security issues and
know how health providers are required to act when breaches happen. You may
want to train your office staff on how your office would approach a breach
notification, so the entire office can consistently follow your plan if the
need ever arises.

When a data breach occurs, your office is required to provide official
notification to any impacted patients and to the Department of Health and
Human Services (HHS). The exact requirements for the notification depends
on how many patients are impacted and where they live, and may ultimately
require notifying the media.

Data breach definitions

The Notification Rule only applies to data breaches, which are defined in
part by whether or not unauthorized individuals are able to access and use
the data. If not, then the software is probably secure. ¹ Secure data is
“unusable, unreadable, or indecipherable.” In other words, “if there is no
violation of the Privacy Rule, even if there is an unauthorized use or
disclosure, there is no Breach.”¹ Based on a thorough risk assessment, if
the determination is made that all reasonable security measures are already
in place and active, then the disclosure is not a breach.

Exceptions do apply, in other words. If the Privacy Rule is followed, or
there is a reasonable belief that the person who received unauthorized
access will probably not be able to retain the information, then no breach
has occurred. ²

Given this definition, it is possible to protect yourself and your clinic
with strong security measures. Assuming your security meets the HHS
standards, your clinic probably will not have a breach occur. Being
prepared for a breach, however, may help significantly if a breach ever
does happen. It is assumed that a breach has occurred unless you are able
to prove that there is a low probability of harm to patients because your
office secures patient information. ² Specifically, your office must use
encryption and “destruction effectuated in accordance with certain industry
best practices”² to ensure the protection of patient health information.

Notification requirements

If the breach impacts fewer than 500 patients, your office is only required
to notify those patients and the HHS, with the patient notification being
sent within 60 days of the occurrence and the HHS online report filed
within 60 days after the end of that calendar year. ²

If more than 500 patients are impacted, then your practice must notify both
the patients and the HHS within 60 days. If 500 or more of these patients
live within the same state or smaller region, such as a particular city or
county, you are also required to provide reasonable notification to media
outlets that reach the effected locations. ²

Breach notification for vendors

Your EHR vendor and other businesses your practice associates with may not
all be covered by HIPAA notification rules. For these organizations, the
Federal Trade Commission (FTC) has separate notification rules that are
similar to the requirements for health practices. If one of your vendors
has a breach, they may be required by these laws to send out their own
notifications. ³

Review Your Security

Reviewing HIPAA regulations may help you get started on understanding how
these rules apply to your practice and how you can help protect your
patients’ personal health information.

Information on audits and other health professional resources are available
online at the HIPAA for Professionals section of the HHS website.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160405/6d1373bb/attachment.html>


More information about the BreachExchange mailing list