The thought of falling victim to a cyberattack or data breach is enough to give nightmares to any healthcare organization in Dallas. However, if it does end up happening to your organization, there are a number of steps you need to take in order to comply with HIPAA law. With our guide, you can regain control of the situation to limit the damage and get your company back on track in the fastest possible time.
Step 1: Analyze the Data Breach
Not all breaches need to be reported, but those that do must be reported right away. Otherwise, the repercussions can be huge – as was evidenced when the Children’s Medical Center of Dallas agreed to pay $3.2m after suffering a breach.
The assessment that you’ll need to conduct following a data breach must cover several key aspects to determine whether it is a high-risk or a low-risk breach. You’ll have to consider:
- Who gain unauthorized access to the health information, and who has the information been leaked to?
- Whether the data was actually viewed or used in any shape or form?
- Which type of data has been accessed or viewed (medical history, payment details, doctor visits, etc.) by the unauthorized individual?
- How severely has the information and patient data been compromised?
When the analysis finds that the data was compromised, the breach rule within the HIPAA guides states that the affected parties deserve to be notified right away. However, there are several situations in which the breach does not need to be mentioned – although some health organizations may still wish to do this for added transparency.
Examples that are not under the HIPAA breach rules include:
- When somebody within the company or from a business associate accidentally accesses the information, and you can verify that they have no ill intentions,
- The entity has a strong reason to believe that any data which has been accessed could not have been saved by those unauthorized parties,
- Data and information transfers occur between two companies that would be authorized to access the files at a later stage of the business relationship.
Meanwhile, it should be noted that encrypted, unusable and unreadable data would not be considered a breach that impacts HIPAA compliance. One way or another, a thorough analysis will provide clarity.
How Can You Complete The Analysis?
If your Dallas-based health organization boasts an internal IT department, it is feasible that they can complete the data breach audit. If not, or even if you desire specialized treatments, outsourced healthcare IT services from a Managed Service Provider (MSP) is the answer.
Targeted IT and cybersecurity can identify whether the breach was a high-risk or low-risk violation while also using the necessary tools to monitor, protect, and report on any further potential damages.
Step 2: Report the Breach
Yes. As per the Health Insurance Portability and Accountability Act of 1996, all health organizations and business associates need to notify patients about any breach and unlawful access to their unsecured, protected health information. This is detailed in 45 CFR §§ 164.400-414 of the HIPAA Security Rulings, which is also where you will find information relating to your obligations in such situations.
Who Needs To Be Notified?
If the data breach to your health organization patient data falls under the HIPAA rulings, you will be required to notify several parties. In all situations, you’ll need to tick two of the boxes but others will add a third.
You have 60 days to inform individuals about the breach and can do this via post or email, although you will need their prior consent if planning to send email. If the contact details for 10 or more people are outdated, you’ll also need to place a notification on your website for a duration of three months.
The Secretary of the U.S. Department of Health & Human Services will also need to be contacted with a full report. If the breach affected at least 500 people, your Dallas health organization must complete this task within 60 days. For smaller breaches, you have a year to do it. One of two forms must be used;
- The secretary notice for a breach affecting 500 or more people,
- The secretary notice for a breach affecting fewer than 500 people.
The media should be contacted about the data breach within 60 days via a written press release that details the necessary information relating to the situation. However, this is only a requirement when at least 500 patients and/or employees have been affected by the breach.
How Can Further Attacks Be Prevented?
Following the successful identification, quarantine, and reporting of any data breach, it’s imperative that you protect the business from further HIPAA compliance issues.
A complete audit and action plan from a team of healthcare IT experts is the answer. To regain control of your data protection today, give us a call and learn how our Managed IT Services for Healthcare Providers in Dallas can help your office effectively mitigate IT risks.