What NOT To Do After a Data Breach

Do you know what to do after a data breach?  Barry University Foot & Ankle Institute (“Barry”) did not.

Barry had a data breach and it took seven (7) months to investigate and provide breach notification to  affected individuals after a laptop was infected with malware in May, 2013.  Article

This is a clear violation of the final HITECH rules.  The rules provide that after a breach of unsecured protected health information individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

All health care providers must be aware of the seriousness of a breach of unsecured protected health information (“PHI”).  Healthcare providers have specific obligations to maintain appropriate policies and procedures and train all of their staff. Further, all healthcare providers must investigate and timely report a breach of unsecured PHI.

As many health care providers know, on January 25, 2013, the U.S. Department of Health and Human Services (“HHS”) published the final rule outlining significant changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The final rule went into effect September 23, 2013.

However, many health care organizations have not updated their policies and procedures, trained staff on the new regulations, or become familiar of the strict timelines requirements for providing notification to affected individuals upon discovery of a breach of unsecured PHI.

Further, the final rule details a presumption that the data breach caused harm.  Now, it is highly unlikely that a healthcare provider can avoid notification to its patients.  The rule provides that a breach is presumed unless the covered entity or business associate demonstrates that there is a low probability that the protected health information was compromised.

Certainly, the government would find that waiting seven (7) months to notify potentially affected individuals, as Barry did, is inappropriate.  Health care providers must be proactive working with their health care attorney to properly update their policies and procedures, train staff, and be prepared for an unfortunate data breach, if one occurs.

Tell us how your organization protects its information?   Share your ideas with us by clicking on the comment button below.  We’d love to hear from you.

Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.