Breach Notification Protocol
Last week, I posted about an event conducted by the Privacy & Security Forum in Boston at the beginning of December. This event brought together senior healthcare IT professionals and subject-area experts to discuss cybersecurity and protecting an organization’s data.
During this convention, there were three major takeaways and highlights. The first being ‘Cyberattacks aren’t going away’, the second highlight was ‘Breach Reaction Plan’ and the third takeaway was ‘Onsite HIPAA Audits on the horizon for 2017.’
After hearing about these takeaways, I realized that many healthcare organizations and individuals don’t know the proper breach notification requirements and the proper protocol. I wanted to take this opportunity to define what a breach is as well as the proper steps if your organization does in fact become hacked.
A breach in the healthcare field is an act of breaking or compromising the security or privacy of protected health information. If your organization undergoes a breach that affects individual health information, there are a set of steps your healthcare provider must take immediately.
- Individual Notice – Covered entities must notify affected individuals following the discovery of a breach. These covered entities or organizations must notify the individual in written form by mail or e-mail. This notification must be provided no later than 60 days following the discovery of the breach and must include a brief description of the breach and the steps the affected individuals should take to protect themselves from harm.
- Media Notice – Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to notify the appropriate media outlets. This type of notification is usually in the form of a press release and must be provided no later than 60 days following the discovery of the breach.
- Notice to the Secretary – In addition to notifying the individual and media, it is imperative that covered entities notify the Secretary of breaches of unsecured health information. Covered entities will notify the Secretary by visiting the U.S. Department of Health & Human Services website and filling out and submitting a breach report form. Again, this form must be submitted within 60 days of discovering the breach affecting more than 500 individuals, and within 60 days of calendar year if less than 500 individuals.
In order to ensure a breach does not happen at your healthcare organization, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these procedures and develop proper punishments if employees do not comply with these policies.
If you feel as though your organization is not prepared for a breach and does not have the proper breach notification policies and procedures in place, then it’s time for a conversation with our Healthcare IT experts.