Does your business handle, send, or store personal health information? If the answer is yes, you must follow HIPAA standards.
Did you know that 510 healthcare data breaches occurred in 2019? This caused exposure of 41,335,889 patient records.
Do you feel confident in your knowledge of the HIPAA standards? Have you taken precautions to prevent a HIPAA data breach? Do you know what to do if a breach occurs?
Data breaches have severe consequences for all parties involved. It’s important to understand all the rules associated with HIPAA fully. Continue reading to gain an overview of this topic.
What Is HIPAA?
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). This ensured insurance coverage for workers when they changed or lost jobs. Its standards included measures to decrease healthcare fraud and abuse.
HIPAA also addressed securing the process of transmitting personal health information (PHI) for billing and other processes. The HIPAA Privacy act mandated protection when handling confidential PHI. This applies to all forms of communication, including verbal, written, and electronic.
The Impacts of a HIPAA Data Breach
HIPAA data breaches have severe and far-reaching impacts. If an unauthorized release of PHI occurs, it’s considered a HIPAA violation. It doesn’t matter if it was intentional or accidental.
HIPAA violations can happen in hundreds of different ways. Healthcare professionals should receive regular training on compliance.
They have the task of ensuring the safe use of all PHI under their control. Healthcare companies are also responsible for how their business associates protect PHI.
HIPAA Breach Definition
The HIPAA Security Rule requires companies to create security awareness policies and procedures. All staff members must receive training regarding these security procedures.
The Privacy Rule defines a breach as any use or disclosure that violates PHI security. There are instances in which the PHI compromise is shown to pose a low risk. Examples of this situation include the following:
- The type of PHI has a low likelihood of resulting in the identification of the individual
- The person(s) involved in the PHI violation is identified, and PHI dispersal contained
- Investigations define if the PHI was viewed or obtained
- The PHI risk exposure is defined and mitigated
The HIPAA rules apply to any covered entity which collects, uses, sends, or stores PHI. HIPAA also extends to any third parties that a covered entity shares PHI with.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rules mandates that covered entities notify all affected people. The covered entity must notify The U.S. Department of Health and Human Services (HHS). In certain situations, they must also notify the media of the PHI breach.
The covered entity must report the following information about the breach:
- The circumstances of the breach
- The extent of the PHI involved in the breach
- The parties involved in the breach, if known
- The likelihood that the breached data can identify individuals
- Whether the data was obtained and viewed
- A description of the steps taken to mitigate the breach
HIPAA requires immediate reports of any PHI breach. The covered entity must submit this report within 60 days after discovery. Data violations affecting less than 500 people may be reported annually to the HHS.
Reporting a Breach to Affected Individuals
The HIPAA Breach Notification Rule also states how to inform affected individuals. The covered entity must make this notification in writing. This may occur via first-class mail or email.
Often, the covered entity may have insufficient or out-of-date contact information. If this involves more than nine people, they should use another notification method. Here are some examples of ways to tell these individuals:
- Place a notice on the covered entity’s website home page for at least 90 days
- Publish a press release that’s expected to reach affected individual
- Publish a toll-free phone number for at least 90 days with information about the breach
If there’s no contact information for less than ten affected people, they can use other methods. They may provide notice of the breach by another written format, telephone, etc.
The notification should give the person a brief description of the breach. Tell them the type of information involved. Let the person know what your company’s doing to prevent possible harm to their privacy.
Also, describe measures the company is taking to investigate the breach, limit the exposure, and increase security. Be sure that the individual knows who to contact if they have further questions or problems.
When the Business Associate Finds a Breach
Covered entities are responsible for notifications, even if the breach occurred with a business associate. The covered entity has the option of delegating this task to the business associate. Yet, they may not have the information needed to make the required notification.
The business associate may not have a direct relationship with the people involved. This may create confusion and distrust on the part of the affected individuals. Remember, delegating this task does not relieve the covered entity of its responsibility.
Consequences of HIPAA Breach
The HITECH Act intends to promote the use of the electronic health record. It also outlines strategies to improve privacy and security for PHI.
Section 13402(e)(4) of the HITECH Act applies to PHI breaches that impact 500 or more people. It also increases the penalties for HIPAA Privacy and Security Rules violations.
Are You Concerned About HIPAA Data Breaches?
A HIPAA data breach presents a serious concern for all businesses handling PHI. This article described the rules that all covered entities and business associates must follow. You also learned about what to do in the event of a data breach.
This presents a huge task for companies on top of running their daily business. HIPAA Security Suite can help ease your load. We offer private programs to help you achieve HIPAA compliance.
Contact us today to ask questions and learn more about our products.