Help with HIPAA Compliance
Help with HIPAA Compliance
Helping you understand the complexities of compliance under the HIPAA Security and Privacy Rules. Our team of experts in regulatory compliance can answer any questions you may.
Colington Consulting

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button?

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button?

3/22/2019 9:32:57 AM   |   Comments: 0   |   Views: 20

by Jay Hodes, President - Colington Consulting

Indeed, it is. According to the latest statics from the HHS Office of Civil Rights (OCR), 43% of all reported breaches are now caused by hacking or other related information network discrepancies—not to mention those breaches that are the result of impermissible disclosures made by members of the workforce. 

Let’s face it, breaches will happen, especially those related to information systems. When it comes to breaches, most network security experts say it is “when” and not “if.” Regardless of whether the breach is related to the network or some other means such as lost or stolen devices containing ePHI, what is important is having a process in place to deal with it. This includes the ability to conduct an internal investigation to determine the basics such as how the breach was caused, the type of breach, and how many individuals were affected. 

The HIPAA Breach Notification Rule states that a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. The exception is when the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

        
  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2.     
  3. The unauthorized person who used the protected health information or to whom the disclosure was made;
  4.     
  5. Whether the protected health information was actually acquired or viewed; and
  6.     
  7. The extent to which the risk to the protected health information has been mitigated.

So, what is the best way to conduct the breach risk assessment to determine this probability? Start with some type of Breach Notification Risk Assessment Tool which is a decision tree-based process. This will help determine if the breach is reportable. Even if the determination is made that the breach is not reportable, documentation that this assessment was conducted must be maintained. 

Having a comprehensive breach notification policy is critical. This will save a lot of headaches and layout a process to follow during the period of uncertainty associated with a breach. The policy should state the obvious such as who needs to be notified internally within the organization, who is responsible for conducting the assessment, and what specific notifications need to be made. What is even more important is the actual procedure to implement the policy. Procedures should cover how to undertake the investigation of the breach to cover the who, what, how, and when of the occurrence. If it is a reportable breach, this type of information is required for submitting “Notice of a Breach” to the Secretary of HHS (which technically is delegated to OCR.) When submitting the Notice, one should be prepared to answer a number of questions. This is why it is important that the internal investigation uncover as much information as possible. 

Being prepared with internal policy and procedure can help dial down that initial panic and provide a systematic process to follow. 

More Like This

Total Blog Activity

731
Total Bloggers
8,629
Total Blog Posts
2,791
Total Podcasts
1,236
Total Videos

Sponsors

Townie Perks

Townie® Poll

Do you rent or own your office space?
  

Site Help

Sally Gross, Member Services
Phone: +1-480-445-9710
Email: sally@farranmedia.com

Follow Dentaltown

Mobile App

WITH DENTALTOWN . . . NO DENTIST WILL EVER HAVE TO PRACTICE SOLO AGAIN®

WWW.DENTALTOWN.COM - WHERE THE DENTAL COMMUNITY LIVES®

9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 · Phone: +1-480-598-0001 · Fax: +1-480-598-3450
©1999-2019 Dentaltown, L.L.C., a division of Farran Media, L.L.C. · All Rights Reserved