• Magazine
    • Current Issue
    • Past Issues
    • Subscribe
    • Change Mailing Address
    • Surveys
    • Guidelines for Authors
    • Editorial Calendar and Deadlines
    • Dynamic Chiropractic
      • Newspaper
      • Subscription
    • The American Chiropractor
      • Magazine
  • Practice
    • Business Tips
    • Chiropractic Schools
    • Clinical & Technique
    • Ebooks
    • Ecourses
    • Sponsored Content
    • Infographics
    • Quizzes
    • Wellness & Nutrition
    • Podcast
  • Content Hubs
  • Products & Services
    • View Products & Services Directory
    • Browse Buyers Guide
    • Submit a Product
    • Vendor Login
  • Datebook
    • View Events
    • Post an Event
    • Become an Events Poster
  • Advertise
    • Advertising Information
    • Media Kit
    • Contact Us

Your Online Practice Partner

Chiropractic Economics
Your Online Practice Partner
Advertise Subscribe
  • Home
  • News
  • Webinars
  • Chiropractic Research
  • Students/New DCs

How to perform a data breach notification

Kaitlin Morrison April 5, 2016

data breach notification

While no office wants to an experience EHR data breaches, they do happen and your clinic should be prepared with a notification plan.

Focusing on prevention will help your office look for security issues and know how health providers are required to act when breaches happen. You may want to train your office staff on how your office would approach a breach notification, so the entire office can consistently follow your plan if the need ever arises.

When a data breach occurs, your office is required to provide official notification to any impacted patients and to the Department of Health and Human Services (HHS). The exact requirements for the notification depends on how many patients are impacted and where they live, and may ultimately require notifying the media.

Data breach definitions

The Notification Rule only applies to data breaches, which are defined in part by whether or not unauthorized individuals are able to access and use the data. If not, then the software is probably secure. ¹ Secure data is “unusable, unreadable, or indecipherable.” In other words, “if there is no violation of the Privacy Rule, even if there is an unauthorized use or disclosure, there is no Breach.”¹ Based on a thorough risk assessment, if the determination is made that all reasonable security measures are already in place and active, then the disclosure is not a breach.

Exceptions do apply, in other words. If the Privacy Rule is followed, or there is a reasonable belief that the person who received unauthorized access will probably not be able to retain the information, then no breach has occurred. ²

Given this definition, it is possible to protect yourself and your clinic with strong security measures. Assuming your security meets the HHS standards, your clinic probably will not have a breach occur. Being prepared for a breach, however, may help significantly if a breach ever does happen. It is assumed that a breach has occurred unless you are able to prove that there is a low probability of harm to patients because your office secures patient information. ² Specifically, your office must use encryption and “destruction effectuated in accordance with certain industry best practices”² to ensure the protection of patient health information.

Notification requirements

If the breach impacts fewer than 500 patients, your office is only required to notify those patients and the HHS, with the patient notification being sent within 60 days of the occurrence and the HHS online report filed within 60 days after the end of that calendar year. ²

If more than 500 patients are impacted, then your practice must notify both the patients and the HHS within 60 days. If 500 or more of these patients live within the same state or smaller region, such as a particular city or county, you are also required to provide reasonable notification to media outlets that reach the effected locations. ²

Breach notification for vendors

Your EHR vendor and other businesses your practice associates with may not all be covered by HIPAA notification rules. For these organizations, the Federal Trade Commission (FTC) has separate notification rules that are similar to the requirements for health practices. If one of your vendors has a breach, they may be required by these laws to send out their own notifications. ³

Review Your Security

Reviewing HIPAA regulations may help you get started on understanding how these rules apply to your practice and how you can help protect your patients’ personal health information.

Information on audits and other health professional resources are available online at the HIPAA for Professionals section of the HHS website.

References

¹American Bar Association. “What is a Breach Under the HITECH Breach Notification Regulations?” The ABA Health eSource. https://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_health_law_esource_0512_eisen.html. Published May 2012. Accessed March 2016.

²McGuireWoods LLP. “Breach Notification Standard Changed by HIPAA Omnibus Final Rule.” https://www.mcguirewoods.com/Client-Resources/Alerts/2013/1/Breach-Notification-Changed-HIPAA-Omnibus-Final-Rule-Risk-Harm.aspx. Published January 2013. Accessed March 2016.

³Federal Trade Commission. “Complying with the FTC’s Health Breach Notification Rule.” https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule. Published April 2010. Accessed March 2016.

Filed Under: Practice Management Software, Resource Center

Current Issue

Issue 7 cover

Get Exclusive Content! Join our email list

Follow Us

  • Facebook
  • X (Twitter)
  • Instagram
  • LinkedIn
  • YouTube logoYouTube logoYouTube

Compare Subscriptions

Dynamic Chiropractic

The American Chiropractor

8430 Enterprise Circle, Suite 200

Lakewood Ranch, FL 34202

Phone 800-671-9966

CONTACT US »

Privacy Policy | Terms of Service

Copyright © Chiropractic Economics, A Gallagher Company. All Rights Reserved.

SUBSCRIBE TO THE MAGAZINE

Get Chiropractic Economics magazine
delivered to your home or office. Just
fill out our form to request your FREE
subscription for 20 issues a year,
including two annual Buyers Guides.

SUBSCRIBE NOW »

Issue 8 Cover