Breach notification regulations take effect, HIPAA-covered entities to notify affected individuals if PHI is breached

Sep 23 2009

Today breach notification regulations take effect under the HITECH Act. HIPAA-covered entities, including healthcare providers and business associates, are now required to notify affected individuals, the Secretary of Health and Human Services and sometimes the media, if a patient's unsecured protected health information (PHI) is breached. With these new rules in place and healthcare breaches accounting for over 66 percent of all records breached this year (according to Identity Theft Resource Center), ID Experts, the leader in data breach remediation, recommends that organizations evaluate their readiness and existing safeguards and put an incident response plan in place now. To help them get started immediately, ID Experts is offering a complimentary tool called Breach HealthCheck(TM) to assist organizations in establishing a Breach HealthCheck Index to evaluate whether their existing protections of sensitive patient information are adequate given their business exposure to data breach.

Breach HealthCheck

Breach HealthCheck is available free-of-charge for a limited time, for organizations that are subject to the new HITECH rules, by calling 1-866-726-4271 or by emailing [email protected]. The patent-pending tool, now available in an online version, is designed to measure an organization's business exposure and protection level. Using a mathematical model, Breach HealthCheck produces an index that measures an organization's business risk, preparedness and protection against the growing threat of breach incidents, so that organizations can take action.

"Patients trust healthcare organizations with their lives and they need to be able to trust them with their personal health information," said Bob Gregg, CEO of ID Experts. "Developing a comprehensive incident response plan has become a best practice for healthcare organizations. It is critical in managing the security of their organization and the privacy of their patients."

Breach Incident Response Plan

The Department of Health and Human Services will begin to impose strict penalties and increased fines for violations when the breach notification rule is enforced in February 2010; however, healthcare organizations need to be in compliance with the new rules as of today. Companies need to work quickly to put an incident response plan in place to ensure they are prepared in the event of a data breach. Breach risks can be minimized by executing a well-planned response at every stage of the data breach life cycle. ID Experts' Incident Response Plan supports organizations and their legal resources through the HHS required post-incident risk assessment to determine if the level of harm incurred is considered a breach and requires notification. Additionally, the Incident Response Plan outlines the notification process and the HHS logging and reporting of breaches. With the ID Experts' Incident Response Plan, organizations can streamline their data breach response; avoid or minimize damage to individuals; meet industry and regulatory requirements; and avoid or minimize risk of similar breaches in the future.

"Compliance is becoming more complex. The HITECH Act and HHS/FTC Rules make data breach assessment and notification more challenging," said Tanya L. Forsheit, Esq., CIPP, Member, InfoSecCompliance LLC. "Now is the time for organizations to take the extra step of putting together an incident response plan to ensure follow-through compliance with the new regulations."

Source: http://www.idexpertscorp.com