HIPAA- How To Avoid Data Breach?
What is HIPAA? • HIPAA: Health Insurance Portability and Accountability Act • It was passed by Congress in 1996 • It includes requirements for: – Transfer and continuation of health insurance coverage for millions of American workers and their families when they change or lose their jobs – Reducing healthcare fraud and waste – The protection and confidential handling of protected health information (PHI)
HIPAA Breach Notification Rule • What is a breach? – A breach is an impermissible use or disclosure that compromises the security or privacy of PHI and poses a significant risk of financial, reputational, or other harm to the affected individual. • Breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised.
What to Do When You Have a Breach? • You have to notify the affected individual immediately in case of a breach • You should notify the same day the breach has been identified or within a maximum of 60 days • The notice, in plain language, should include: – What happened: date of breach and discovery – What information was breached – What steps the affected individual should take to protect him/herself – What covered entity is doing about it: – Investigating the incident – Mitigating the impact – Steps taken to protect against any future incidents
– Contact information : a toll-free number, email and postal address or a specific website where the individual can get more information/ advice/ give feedback
What to Do In Case of Large Breaches? • If the ePHI of more than 500 residents of a jurisdiction has been breached, the media should be notified in addition to notifying the affected individuals. • The Secretary of the HHS should also be notified through the breach report form on the HHS website.
How to Prevent Breaches? • Eliminate unnecessary data and keep strict controls on the remaining • Ensure essential controls are met • Assess remote access services • Test and review web applications • Audit user accounts and monitor privileged activity • Monitor and mine event logs
Want to learn more about HIPAA, HIPAA Privacy and Security Rule, its requirements and best practices to comply with them? ComplianceOnline webinars and seminars are a great training resource. Check out the following links: • How to examine security policies, practices, and risk issues to comply with HIPAA • How to use social media and texting without breaking HIPAA rules • How to Conduct risk analysis to comply with HIPAA • HIPAA/HITECH Assessment for Healthcare Business Associates • How to comply with HIPAA Omnibus Rule • Understanding new rules and responsibilities of Privacy Officer under HIPAA • HIPAA Security and Breach Rule Compliance