As more healthcare organizations face the daunting task of dealing with a data breach, more of them will have to become intimately familiar with the HIPAA Breach Notification Rule.
The rule requires HIPAA covered entities and business associates (BAs) to provide notification to individuals, regulators, and the media following a breach of protected health information (PHI). But the devil, as they say, is in the details.
When a breach is suspected, HHS advises covered entities to conduct a risk assessment to determine the probability that the PHI has been accessed by an unauthorized person or persons.
Laura Hammargren, healthcare co-leader and cybersecurity and data privacy attorney with Chicago-based Mayer Brown, agreed.
“I would do a risk assessment if you suspect a breach. You have to gauge whether it's reportable or to what extent it might need to be disclosed and to whom. To do that, you do need to figure out what exactly happened.”
HHS requires three types of entities to be notified in the case of a PHI data breach: individual victims, media, and regulators.
The covered entity must notify those affected by the breach of unsecured PHI within 60 days of discovery of the breach.
“That can be a question. When was the date of discovery? Is it the moment you suspect that you have a breach? Is it the time when you confirm that in fact there has been a breach and what that breach is? Different companies interpret that in different ways, although staying on the conservative side might save the company some pain later,” Hammargren told HealthITSecurity.com.
Read more here.