What NOT To Do After a Data Breach

Do you know what to do after a data breach?  Barry University Foot & Ankle Institute (“Barry”) did not.

Barry had a data breach and it took seven (7) months to investigate and provide breach notification to  affected individuals after a laptop was infected with malware in May, 2013.  Article

This is a clear violation of the final HITECH rules.  The rules provide that after a breach of unsecured protected health information individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

All health care providers must be aware of the seriousness of a breach of unsecured protected health information (“PHI”).  Healthcare providers have specific obligations to maintain appropriate policies and procedures and train all of their staff. Further, all healthcare providers must investigate and timely report a breach of unsecured PHI.

As many health care providers know, on January 25, 2013, the U.S. Department of Health and Human Services (“HHS”) published the final rule outlining significant changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The final rule went into effect September 23, 2013.

However, many health care organizations have not updated their policies and procedures, trained staff on the new regulations, or become familiar of the strict timelines requirements for providing notification to affected individuals upon discovery of a breach of unsecured PHI.

Further, the final rule details a presumption that the data breach caused harm.  Now, it is highly unlikely that a healthcare provider can avoid notification to its patients.  The rule provides that a breach is presumed unless the covered entity or business associate demonstrates that there is a low probability that the protected health information was compromised.

Certainly, the government would find that waiting seven (7) months to notify potentially affected individuals, as Barry did, is inappropriate.  Health care providers must be proactive working with their health care attorney to properly update their policies and procedures, train staff, and be prepared for an unfortunate data breach, if one occurs.

Tell us how your organization protects its information?   Share your ideas with us by clicking on the comment button below.  We’d love to hear from you.

Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.

Related Posts


Recent Posts

Getting Remarried? Here’s What You Need to Know
March 21, 2024
What is the Biggest Threat to Healthcare?
January 30, 2024
How Can I Simplify Estate Planning?
January 11, 2024
I Have a Trust. Now What?
December 7, 2023
Breaking: Corewell Health Breach
December 5, 2023


Subscribe to Our Newsletter

Subscribe and get your FREE copy of Easy Guide to HIPAA Risk Assessments

An essential tool for all healthcare providers, Easy Guide to HIPAA Risk Assessments breaks down the requirements of HIPAA so you can successfully complete your required risk assessment. (an $8.99 value)

Thank you for subscribing to the Rickard & Associates healthcare blog. You'll receive a confirmation email shortly. After verifying your subscription request, you'll be sent to the "Easy Guide to HIPAA Risk Assessments" download page.