While no office wants to an experience EHR data breaches, they do happen and your clinic should be prepared with a notification plan.
Focusing on prevention will help your office look for security issues and know how health providers are required to act when breaches happen. You may want to train your office staff on how your office would approach a breach notification, so the entire office can consistently follow your plan if the need ever arises.
When a data breach occurs, your office is required to provide official notification to any impacted patients and to the Department of Health and Human Services (HHS). The exact requirements for the notification depends on how many patients are impacted and where they live, and may ultimately require notifying the media.
Data breach definitions
The Notification Rule only applies to data breaches, which are defined in part by whether or not unauthorized individuals are able to access and use the data. If not, then the software is probably secure. ¹ Secure data is “unusable, unreadable, or indecipherable.” In other words, “if there is no violation of the Privacy Rule, even if there is an unauthorized use or disclosure, there is no Breach.”¹ Based on a thorough risk assessment, if the determination is made that all reasonable security measures are already in place and active, then the disclosure is not a breach.
Exceptions do apply, in other words. If the Privacy Rule is followed, or there is a reasonable belief that the person who received unauthorized access will probably not be able to retain the information, then no breach has occurred. ²
Given this definition, it is possible to protect yourself and your clinic with strong security measures. Assuming your security meets the HHS standards, your clinic probably will not have a breach occur. Being prepared for a breach, however, may help significantly if a breach ever does happen. It is assumed that a breach has occurred unless you are able to prove that there is a low probability of harm to patients because your office secures patient information. ² Specifically, your office must use encryption and “destruction effectuated in accordance with certain industry best practices”² to ensure the protection of patient health information.
Notification requirements
If the breach impacts fewer than 500 patients, your office is only required to notify those patients and the HHS, with the patient notification being sent within 60 days of the occurrence and the HHS online report filed within 60 days after the end of that calendar year. ²
If more than 500 patients are impacted, then your practice must notify both the patients and the HHS within 60 days. If 500 or more of these patients live within the same state or smaller region, such as a particular city or county, you are also required to provide reasonable notification to media outlets that reach the effected locations. ²
Breach notification for vendors
Your EHR vendor and other businesses your practice associates with may not all be covered by HIPAA notification rules. For these organizations, the Federal Trade Commission (FTC) has separate notification rules that are similar to the requirements for health practices. If one of your vendors has a breach, they may be required by these laws to send out their own notifications. ³
Review Your Security
Reviewing HIPAA regulations may help you get started on understanding how these rules apply to your practice and how you can help protect your patients’ personal health information.
Information on audits and other health professional resources are available online at the HIPAA for Professionals section of the HHS website.
References
¹American Bar Association. “What is a Breach Under the HITECH Breach Notification Regulations?” The ABA Health eSource. https://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_health_law_esource_0512_eisen.html. Published May 2012. Accessed March 2016.
²McGuireWoods LLP. “Breach Notification Standard Changed by HIPAA Omnibus Final Rule.” https://www.mcguirewoods.com/Client-Resources/Alerts/2013/1/Breach-Notification-Changed-HIPAA-Omnibus-Final-Rule-Risk-Harm.aspx. Published January 2013. Accessed March 2016.
³Federal Trade Commission. “Complying with the FTC’s Health Breach Notification Rule.” https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule. Published April 2010. Accessed March 2016.