Although a data breach only needs to be reported for healthcare organizations if financial harm results, it is irresponsible for a healthcare organization to ignore a breach of their customer’s private health information.  If the health information can be tied in any way to the individual, ethical responsibility to your customer should motivate reporting of the data breach and notification to the proper authorities.

For official reporting to the U.S. Department of Health & Human services, there are two different reporting groups.  For data breach of under 500 individuals and for any breach greater than 500.  Many healthcare providers are hesitant to report the data breach officially to HHS as the new requirements under the HITECH Act also state that a breach over 500 individuals will be posted on the HHS website.  It seems virtually impossible that no data breach has occurred yet there are no organizations reported on the HHS website that I have found yet. As seen here

Reporting a breach to HHS is relatively simple as it is an online form that does not require much technical knowledge or submission of any technical data or proof of the breach.  Network Forensics can be extremely complicated for the novice user and the breach will most certainly be physically obvious for most of the initial cases reported until healthcare data security is audited more carefully than it is today.  See the form for reporting a notice to the Secretary of HHS here.

It is also a good idea to report any security incident even if it is not required by the terms set forth by the HHS to the US-CERT.  Incidents reported here are inclusive of just more than a breach causing financial harm and should be completed even if a computer virus outbreak is detected at a provider.  The reporting form at the US-CERT is also simple to complete and does not require any major technical forensics knowledge.  To see the form for reporting general network and data incidents to US-CERT click here.

As for notification to your patients, unless financial harm is shown, HIPAA does not require healthcare organizations to report the incident to the individuals, but should you?  Most definitely!  Most states already have reporting requirements for data breaches of personally identifiable information and it is simply the responsible and ethical choice for any provider wishing to maintain any level of trust with their patients and clients.  To see a sample letter written by the FTC for notification of a data breach, visit their website.

AMENDMENT:  Since this was written, the HHS website now has posted providers they are aware of where more than 500 records were breached.

A shift is occurring in the enforcement of HIPAA…. Again! Less confusion on enforcement and dispersion of penalties for violation of HIPAA requirements as a result. No longer will there be split departmental enforcement for HIPAA violations at the federal level.

http://tinyurl.com/kloqb7

Abstract
The 2009 HITECH Act expands HIPAA coverage and definition to include covered entity business associates, definition of security breach and disclosure requirements, new restrictions on use and disclosure of protected health information, new patient rights, mandatory compliance audits and heightened HIPAA enforcement.

2009 HIPAA; what has changed?
Many changes have been made to HIPAA as part of the 2009 HITECH Act. Many expansions to existing rules were qualified and additional penalties and actions required for violation. Proactive response to new requirements should be best practice for all health care providers with careful attention paid to the additional expansion on requirements and enforcement over the next 18 months.

Expanded definition of security breach
One of the most significant changes is the burden placed on a health care provider or covered entity who suffers a breach of unprotected health information. This breach does not apply just to electronic data, but any breach of data stored by the provider. HITECH establishes a rule that all individuals affected by the breach must be notified within 60 days of the security violation. Additionally, if more than 500 records were compromised then “prominent media outlets” must be notified as well. A breach is defined as an acquisition of an individual’s unsecured identifiable health information by any person without the their authorization. Additionally, the notification of the breach will be posted on the HHS website when more than 500 records are breached.

New restrictions on use and disclosure
Additional restrictions on use and disclosure of protected health information are also in the expansion of HIPAA privacy. A covered entity is prohibited from receiving remuneration in excess of the cost of preparing and transmitting the data and only with authorization of the individual and for research purposes. Marketing to individuals based upon protected health information becomes more restrictive as well and often prohibits any direct marketing if money is exchanged by any parties involved in marketing to the individual without the individual’s consent.

New guidelines will be set forth on definition of minimum information necessary for treatment. This is used to determine what information can be transmitted between parties except for treatment of the patient. These are due within 18 months and will be defined by HHS.

New patient rights
Patients will be happy to hear that several new rights have been granted to the patient regarding use and disclosure of their health information. Patients have the right to request providers not share their health information with a health insurer if the patient is paying full cost of the services provided. Additionally, providers are required to provide a patient with a copy of their health record once a year. Additionally, covered entities maintaining electronic health records must provide audit accounting of all disclosures for treatment, payment and health care operations for a three-year period. Many of these features will be included in a patient health record portal that good EHR systems should include. Last of all is the right to opt out of fundraising communications and opportunities. Opt-out rights have been present in the past, but fundraising communications must communicate the patient’s right to opt out in future fundraising solicitations.

HIPAA coverage for business associates
Additional restrictions on how data is shared with covered entity business associates have been defined as well. All business associates of a covered entity must comply with HIPAA security requirements and data sharing policies. This legislation now brings technology vendors, practice management companies, transcription services, billing services, attorneys, accountants and many other types of business associates under direct regulation of HIPAA.

Heightened HIPAA enforcement
New more severe penalties are effective immediately for HIPAA violations.
Increased Monetary Penalties

Additionally, the State Attorney General’s office are now granted authority to bring civil action against HIPAA violations. The HITECH Act also clearly defines that criminal penalties may be imposed under HIPAA for individuals or entities that wrongfully obtain protected health information.

Mandatory Compliance Audits
HHS will be required to conduct periodic audits of covered entities and business associates to evaluate HIPAA compliance.

Subscribe to eHRTech.info to stay updated with the latest information and resources for your eHR system.