This article covers what you need to to do if you are a Healthcare organization in Illinois facing a breach of your information systems, leading to the potential exposure of your patients’ private data.
The Official Breach Rule
The part of HIPAA that goes over your responsibilities in the event of a breach is 45 CFR §§ 164.400-414. You and your business associates are required to send notifications to affected parties when unsecured, protected health information is breached.
Breaches That Require Notification
You need to perform a complete assessment of the breach to determine whether it's a high risk or low-risk scenario. This assessment is based on the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
If your assessment finds that the health information was indeed compromised, then the breach rule would be in affect and notification of affected parties would apply.
Breaches That Do Not Require Notification
You may encounter a few situations where a breach has occurred but you're not required to send out these notifications. Your breach assessment will determine whether it's a low-risk scenario where the data is in a format that is not readable or was not actually accessed at all. You only need to perform this assessment if you believe that this breach is not actionable and doesn't require notification.
Other situations that aren't considered data breaches under the HIPAA rules include:
- Someone unintentionally accessing or using protected health information who is in your workforce or working with a business associate, in good faith, would not be considered a breach as long as that's within the scope of their employment.
- If the protected health information was accidentally shared between two entities that would otherwise be authorized to view this data.
- If the covered entity believes that the unauthorized person could not save or otherwise keep this data.
The key aspect of breaches as defined by HIPAA is that they concern unsecured protected health information. If the data is encrypted, unusable or otherwise rendered unreadable, then it would not fall under this rule.
How to Assess a Breach
If you have an internal IT department, they may be able to perform an assessment of the breach to determine whether it was a high or low risk scenario. If you do not have an internal IT team, you may consult a cybersecurity professional, such as an Managed Service Provider (MSP) who specializes in Healthcare IT Services. They are equipped with the tools to monitor, protect, and report on the threats to your information systems.
Who You’re Required to Notify
Once you establish that the data breach does fall under the HIPAA rule, you need to issue notifications to three parties: individuals, the Secretary and the media. In some cases, you only need to send out the first two notifications.
Individual
You have the option to send notifications out via first-class mail or email. If you want to send electronic notification, you do need the individual's consent ahead of time. Some of the contact information you have on file may be out of date. If you run into this situation with 10+ people, then you need a notice on your website for 3 months or you need to send a notice to major publications and media.
You have 60 days to send out this notification. The information that you include in the notice is the information that was accessed due to the breach, the steps they should take to protect themselves, what you're doing to discover the causes of the breach, and your plan to resolve this problem.
Media Notice
When more than 500 individuals are involved in a breach, you have to send out notification to the media. Generally, you would issue a press release. This notice also falls under the 60-day timeline.
Secretary
You also need to send a breach report form to the Secretary of the U.S. Department of Health & Human Services (HHS). If you have a breach that involves 500+ people, you have to report it within 60 days. If this number is lower, then you can send in the form yearly.
A Breach Report can be filed for both scenarios by clicking the links below:
Business Associates
If one of your business associates suffers from a data breach, they should inform you within 60 days. They also need to tell you the individuals impacted by this breach so you can send out the appropriate notifications.
Next Steps… Minimizing the Impact of Data Breaches
You can minimize the damage that a data breach does through a proactive approach. Look at your cybersecurity strategy and bring in more IT resources as required. A Managed IT Service Provider that specializes in HIPAA compliant cybersecurity is an invaluable partner.
If you suffer from a breach, you want to find out the exploits that it used to get into your system, whether the vulnerability still exists, and the steps you need to take to eliminate this attack surface.
A complete audit and investigation following the data breach can yield useful information about the security gaps. Look for ways to bolster your defenses so a similar attack would fail to have as much of an impact.
The protected health information should be encrypted and otherwise be stored in an unusable form. If the attacker steals this information but doesn't have the encryption key, then this data is useless to them.
Data breaches are an unfortunate reality that many healthcare organizations must face. While you can't eliminate the threat of an attack, you can stop it from causing harm to the individuals who trust you with their health information.
To speak to our IT Professionals in Illinois about your options for HIPAA compliance or our IT Services for Healthcare organizations, feel free to contact us.
