The final regulations for the new HIPAA Breach Notification Rule place a far greater burden on Covered Entities and Business Associates than earlier. It is not enough for them to just notify individuals whose Protected Health Information (PHI) have been affected. For them to determine if a breach occurred, they must follow and document a very specific process. Their work does not end here. If no Breach occurred, then documentary evidence to this effect must be compiled and kept for six years. In the event of a Breach; CE’s and BA’s must undertake timely notifications and document this and other actions taken.
Huge number of breaches
That a breach and/or an incident can happen any time is attested by many experiences. From September, 2009 to May 31, 2015, over 173,000 separate breaches of PHI affecting less than 500 individuals and 1240 reports of PHI breaches affecting more than 500 individuals were reported to the U. S. Department of Health and Human Services (HHS).
The HHS has very stringent and often hairsplitting definitions of a breach. It considers an acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule to be a Breach unless it falls within an exception or the Covered Entity or Business Associate can demonstrate a low probability that the PHI was compromised. Not every suspected breach may turn out to be a breach, but the CE or BA should have enough knowledge of the rules to assess each incident and prove it was not a breach in case it was not.
Other aspects of a breach notification
A CE or BA should notify prominent media outlets in the region whenever a breach affecting 500 or more individuals happens. At times, they would have to publicly announce that a breach did not occur. They should also guard against the huge black market for PHI. It is a fact that phishers, hackers and burglars are constantly making attempts to get PHI. The FBI reported in 2014 that medical identity information commands $50 on the black market, while a credit card or Social Security Number sells for $1.
A learning session to help unravel the complexities of the Rule
To understand how to make sense of the final regulations for the new HIPAA Breach Notification Rule; a webinar is being organized by MentorHealth, a highly reputable provider of professional trainings for the healthcare industry. Paul R. Hales J.D, who is an attorney at law and specializes in the HIPAA Privacy and Security Rules, will be the speaker at this webinar. To enroll for this webinar, log on to http://bit.ly/Regulations-HIPAA-Breach-Notification-Rule
This session will offer clear understanding of how to understand the new HIPAA Breach Notification Rule and how CE’s and BA’s can protect patient information, which will help them to prevent a breach. At this webinar, Paul will explain the following:
• What Covered Entities and Business Associates must do to comply with the Breach Notification Rule
• What is and is not a Breach
• Who must be notified in case of a Breach
• When notifications must be provided
• What information must be contained in each notification
• Other requirements in case of a Breach
o Mitigate harm to affected individuals
o Protect against further Breaches
o Document everything
• Planning and preparation for the worst – public relations and mitigation strategies to limit damage to the organization’s reputation and financial well-being