There’s only one thing worse than a serious HIPAA breach: having one and not providing the required notifications.
Entities covered by HIPAA, as well as their business associates, may need to report breaches. If an event compromises the privacy or security of protected health information which a covered entity holds, that constitutes a breach. The presumption is that an improper disclosure or use of PHI constitutes a breach, unless a risk assessment shows that the likelihood of compromised information is low. For instance, if printed records sent out for secure disposal fall off the truck, that counts as a breach unless all the records are recovered before anyone else can get to them.
If a breach does occur, a covered entity has to provide notifications without unreasonable delay (60 days at most) to:
- The Secretary of Health and Human Services. A reporting form for this purpose is available online.
- Individuals affected by the breach. The notice can go out by regular mail, or by email if the people affected have agreed to receive notices that way. If it isn’t possible to reach all affected people by mail or email, a public notice is required.
- The news media, if the breach affects more than 500 residents of a state or jurisdiction.
It’s a legal requirement to document all notifications sent out. If an event falls short of being a breach, the assessment supporting that conclusion has to be documented.
It’s embarrassing to let people know that their confidential medical data may have gotten into the wrong hands, but it gives them a chance to protect themselves from identity theft, and embarrassment is better than the penalties the Office of Civil Rights can assess.
Best of all, of course, is not to have a breach in the first place. The secure cloud service from WHOA.com provides strong security, complying with all HIPAA and HITECH requirements. Contact us to learn more about our service.