Pages

Showing posts with label PHI. Show all posts
Showing posts with label PHI. Show all posts

Life's a "breach" if you mishandle protected health information

In late August 2009, the Department of Health and Human Services (HHS) issued new regulations requiring entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information (PHI) is compromised. Specifically, the HITECH Act requires businesses to report breaches affecting 500 or more individuals to HHS within 60 days of discovering the breach. It also requires that HHS post on its website a list of these reported breaches.

The “Breach Notification Rule’ is now in full play. Last week, HHS posted a list of breaches of unsecured PHI that affected 500 or more people. As summarized in the report, 27 of the breaches resulted from thefts of paper or electronic records. Other breaches were described as “Hacking/IT Incident,” “Loss,” “Incorrect Mailing,” “Unauthorized Access,” “Misdirected Email,” and “Phishing Scam.” The breach affecting the largest number of individuals was reported by Blue Cross Blue Shield of Tennessee. There, a theft of hard drives resulted in breaches of unsecured PHI affecting half a million individuals.

Does the new rule apply to you?

It does if you’re a HIPAA-covered entity or business associate, including most health care providers, health plans and health care clearinghouses. Employers who act as sponsors of group health plans may also be covered entities, depending upon their level of involvement.

What is a breach?

A breach occurs when 1) there has been “unauthorized” access, use or disclosure of “unsecured” PHI that violates the rule and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”

“Unsecured” PHI is any information that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology such as encryption and destruction.

Encryption - Proper encryption should use an algorithmic process to transform data into a form that is meaningless without a confidential process or key (which also must be protected).

Destruction - Hard copy PHI, such as paper or film, needs to be thoroughly shredded or destroyed so that it cannot be read or reconstructed.

Beyond enhancing your data security efforts, you have a responsibility to:

=> notify individuals when their health information has been compromised
=> update your HIPAA policies and procedures
=> educate employees on new procedures

Cover all the bases with our HIPAA Forms CD-ROM and Poster Bundle. It includes all the HIPAA compliance materials you need - from an Employee Information Poster and HIPAA Privacy and Security Policy to a Breach Incident Log and other essential forms - to stay in compliance.

For additional direction with your compliance questions, go to HIPAA FAQs.
Share/Bookmark
Posted on Thursday, March 04, 2010 by The G.Neil blog team 0 comments
Labels: , , , ,

New HIPAA Breach Notification Rules kick in today

With medical data breaches on the rise, the federal government is taking action to help stem the problem. The Department of Health and Human Services (HHS) recently issued new regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information (PHI) is breached. The HHS regulations came two days after the Federal Trade Commission (FTC) issued regulations outlining similar requirements for personal health record (PHR) vendors, PHR-related entities and third-party service providers.


“This new federal law ensures that covered entities and business associates are
accountable to the Department and to individuals for proper safeguarding of the
private information entrusted to their care. These protections will be a
cornerstone of maintaining consumer trust as we move forward with meaningful use
of electronic health records and electronic exchange of health information,”
said Robinsue Frohboese, Acting Director and Principal Deputy Director of OCR.
(HHS Press Release)

Under the new rules, businesses must immediately notify individuals of a breach, as well as the HHS (or the FTC) and the media when a breach affects more than 500 individuals. This new notice requirement is designed to help consumers make informed decisions when their health information is released to unauthorized users, while also prompting companies to enhance security. Businesses are also required to update their HIPAA policies and train employees on new procedures.

What is a breach?

A breach occurs when 1) there has been “unauthorized” access, use or disclosure of PHI, which violates the HIPAA Privacy Rule and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”

Let’s say, for example, your company sponsors a group health insurance plan and a laptop containing enrollment information constituting PHI is lost or stolen. You most likely would be required to notify the affected individuals. Or perhaps you operate a HIPAA-covered medical practice and a staff member impermissibly downloads patients’ PHI to his personal computer. Again, you would need to notify the affected patients.

The effective date of the new HIPAA Breach Notification Rules is today, September 23, 2009. However, HHS has stated it will not impose penalties until February 22, 2010.
Share/Bookmark
Posted on Wednesday, September 23, 2009 by The G.Neil blog team 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)
 

Labels :

HIPPA com i
Copyright (c) 2010. Blogger templates by Bloggermint