In late August 2009, the Department of Health and Human Services (HHS) issued new regulations requiring entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information (PHI) is compromised. Specifically, the HITECH Act requires businesses to report breaches affecting 500 or more individuals to HHS within 60 days of discovering the breach. It also requires that HHS post on its website a list of these reported breaches.
The “Breach Notification Rule’ is now in full play. Last week, HHS posted a list of breaches of unsecured PHI that affected 500 or more people. As summarized in the report, 27 of the breaches resulted from thefts of paper or electronic records. Other breaches were described as “Hacking/IT Incident,” “Loss,” “Incorrect Mailing,” “Unauthorized Access,” “Misdirected Email,” and “Phishing Scam.” The breach affecting the largest number of individuals was reported by Blue Cross Blue Shield of Tennessee. There, a theft of hard drives resulted in breaches of unsecured PHI affecting half a million individuals.
Does the new rule apply to you?
It does if you’re a HIPAA-covered entity or business associate, including most health care providers, health plans and health care clearinghouses. Employers who act as sponsors of group health plans may also be covered entities, depending upon their level of involvement.
What is a breach?
A breach occurs when 1) there has been “unauthorized” access, use or disclosure of “unsecured” PHI that violates the rule and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”
“Unsecured” PHI is any information that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology such as encryption and destruction.
Encryption - Proper encryption should use an algorithmic process to transform data into a form that is meaningless without a confidential process or key (which also must be protected).
Destruction - Hard copy PHI, such as paper or film, needs to be thoroughly shredded or destroyed so that it cannot be read or reconstructed.
Beyond enhancing your data security efforts, you have a responsibility to:
=> notify individuals when their health information has been compromised
=> update your HIPAA policies and procedures
=> educate employees on new procedures
Cover all the bases with our HIPAA Forms CD-ROM and Poster Bundle. It includes all the HIPAA compliance materials you need - from an Employee Information Poster and HIPAA Privacy and Security Policy to a Breach Incident Log and other essential forms - to stay in compliance.
For additional direction with your compliance questions, go to HIPAA FAQs.