Are you ready for a data breach?

By Doug Pollack
June 23, 2010
02:49 PM

The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents.

If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should:

  1. The requirement for a mandatory incident-specific risk assessment for every incident
  2. The fact that HITECH notification provisions do not pre-empt state notification laws
  3. Encryption of data does not necessarily alleviate the risk of data breach
  4. If your business associate exposes your protected health information (PHI), you are responsible


1. Mandatory incident-specific risk assessment.  When HHS issued its Interim Final Rule giving healthcare organizations guidance for complying with the HITECH Act data breach provisions, it added a new requirement.  The requirement is that the organization carry out an incident-specific risk assessment to determine the potential risk of harm to the individuals affected by each and every data breach incident.  The rules establish a "harm threshold" for notification, but unfortunately, don't make the determination of risk and the potential of harm. It is essential to become well versed in these rules and be prepared to carry out a HITECH compliant data breach incident risk assessment.

2. HITECH doesn't pre-empt state notification laws.  While HITECH is the first national law for notification in the case of privacy information breaches, most U.S. states also have breach notification laws.  And while the intent of these laws is similar -- to make individuals aware that their PHI may have been improperly disclosed -- the specific details in all of these laws can actually vary a great deal.  But because HITECH is not "preemptive," a healthcare organization that has experienced a data breach must ensure that it complies with both HITECH regulations as well as the regulations in every state where individuals are affected.  This can be daunting especially because HITECH and state laws in some cases are conflicting.

3.  Encryption not a silver bullet.  There is a lot of advocacy for encryption of PHI as a means to avoid data breach incidents.  The general argument is that if data is encrypted, that data breaches will not occur.  Unfortunately, this is overly simplistic. While encryption will assist healthcare organizations in avoiding certain types of data breach incidents, it is not a panacea.  For instance, a common threat approach is for a criminal or organized crime entity to enlist an "insider" to assist in extracting PHI.  An insider with valid access credentials will not find encryption to be an obstacle in any way.  As a result, consider encryption one of many tools for information protection, not a silver bullet.

4.  You are responsible for your business associate.  For the first time, HIPAA business associates are required to meet the HIPAA Privacy and Security Rule requirements based on HITECH.  While this is a good thing, a covered entity should not consider this a "free pass" if one of your business associates exposed PHI that was provided by your organization.  While you may be able to hold them financial accountable, if you've specified for such eventualities in your business associate agreements, the obligation for notification is still with the covered entity.  It is your responsibility to maintain the privacy for the PHI, no matter to whom you entrust it. And of course, the affected patients will hold you responsible as well.

As you put processes and procedures in place to meet HITECH obligations, consider also putting in place a comprehensive and current data breach incident response plan.  This will prevent a lot of headaches and last-minute scrambling, should you be faced with a data breach.  

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Bird's eye view of Nashville during the day
Oracle seeks to address health disparities with new collaborative

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Dr. Anmol Kapoor of CardiAI and BioAro on AI-enabled precision healthcare
AI-driven precision healthcare is here – what you need to know
Chris Harle, CIO of Regentrief Institute
Regenstrief Institute appoints a new chief information officer
Adam Hutchinson at oVRcome_Images courtesy of oVRcome
How VR exposure therapy is helping patients overcome their phobias
Stethoscope resting on tablet
HIMSSCast: Digital tools can leverage SDOH data and improve outcomes
Dr. Tim O'Connell of emtelligent on AI
Safe and equitable AI needs guardrails, from legislation and humans in the loop
Doctor and patient review clinical notes
Are genAI-produced visit summaries the future?
User authenticates laptop access on a mobile phone with required MFA
Google sets mandatory MFA deadline for all cloud accounts
Greg Garcia at Cybersecurity Working Group_Healthacre Cybersecurity Forum 2024
Cyberattacks are now at epidemic proportions