As part of HITECH, any breach of over 500 individuals will be posted on “The Wall of Shame” on the HHS website. It is important for covered entities to be aware of the necessary steps to avoid joining this list and to become familiar with the HITECH Breach Notification Protocol in the case of a breach.
Headlines of credit card security breaches at Target, Home Depot, Kmart, Ebay and JP Morgan Chase are all too common these days. A wake up call to all health care facilities arrived with the recent hacking incident into Community Health Systems’ network. An increase in the black market value placed on stolen credit card information and social security numbers associated with protected health information (PHI) makes it even more important to assess potential threats and vulnerabilities in a healthcare organization.
The Final Rule defines a ‘breach’ as impermissible use or disclosure of PHI unless the covered entity or business associate demonstrates (after a risk assessment) that there is a low probability the PHI has been compromised. There are a few exceptions that apply to accidental access of PHI by an employee or unintended disclosure of PHI to another authorized user as long as no further disclosure occurs. A business associate must notify a covered entity regarding a breach without reasonable delay and no longer than 60 days from discovery.
A breach is presumed until the risk assessment is performed to determine whether probability is low that the PHI has been compromised. The assessment should include:
- What PHI is involved
- Who used PHI or to whom the PHI was disclosed and if the PHI was viewed
- What steps have been taken to mitigate risks to the unsecured PHI
If a breach of unsecured PHI is determined to have occurred:
- Notify affected individuals in writing without unreasonable delay and no longer than 60 days from discovery and post on covered entity’s website
- if >= 500 affected individuals notify HHS at same time as notification of individuals
- if > 500 affected individuals notify HHS within 60
- Notify media if > 500 residents affected from one location (state, county, city)
The Notice to affected individuals should contain the following
- Description of Breach
- PHI involved
- Steps taken to investigate, mitigate harm and prevent further breaches
- How to protect themselves from any possible harm as a result of the breach
Healthcare entities have enhanced visibility of privacy and security breaches due to the HHS “Wall of Shame”. To avoid joining this list, continually monitor your practice for vulnerabilities and threats and mitigate any potential risks to PHI to prevent avoidable breaches.