What NOT To Do After a Data Breach

Do you know what to do after a data breach?  Barry University Foot & Ankle Institute (“Barry”) did not.

Barry had a data breach and it took seven (7) months to investigate and provide breach notification to  affected individuals after a laptop was infected with malware in May, 2013.  Article

This is a clear violation of the final HITECH rules.  The rules provide that after a breach of unsecured protected health information individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

All health care providers must be aware of the seriousness of a breach of unsecured protected health information (“PHI”).  Healthcare providers have specific obligations to maintain appropriate policies and procedures and train all of their staff. Further, all healthcare providers must investigate and timely report a breach of unsecured PHI.

As many health care providers know, on January 25, 2013, the U.S. Department of Health and Human Services (“HHS”) published the final rule outlining significant changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The final rule went into effect September 23, 2013.

However, many health care organizations have not updated their policies and procedures, trained staff on the new regulations, or become familiar of the strict timelines requirements for providing notification to affected individuals upon discovery of a breach of unsecured PHI.

Further, the final rule details a presumption that the data breach caused harm.  Now, it is highly unlikely that a healthcare provider can avoid notification to its patients.  The rule provides that a breach is presumed unless the covered entity or business associate demonstrates that there is a low probability that the protected health information was compromised.

Certainly, the government would find that waiting seven (7) months to notify potentially affected individuals, as Barry did, is inappropriate.  Health care providers must be proactive working with their health care attorney to properly update their policies and procedures, train staff, and be prepared for an unfortunate data breach, if one occurs.

Tell us how your organization protects its information?   Share your ideas with us by clicking on the comment button below.  We’d love to hear from you.

Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.

Related Posts

Categories

Recent Posts

Should I Sign an Employment Agreement?
May 19, 2022
Compliance Alert: Kickbacks and Conspiracies
May 17, 2022
IT Contracts and the Terms that Matter Most
May 12, 2022
Recent HIPAA Enforcement
May 10, 2022
Can You Avoid a Business Dispute?
May 5, 2022

Subscribe

Enter your email to subscribe now and receive your FREE HIPAA Risk Assessment book!

An essential tool for all healthcare providers, Easy Guide to HIPAA Risk Assessments breaks down the requirements of HIPAA so you can successfully complete your required risk assessment.

 

Get it now for FREE (an $8.99 value!)

One more step! Please check your email to confirm your subscription and receive your FREE book!