Do you know anyone you have been a victim of breach or are you the one who had suffered this in the past? Well, in order to battle with breach the first important step is to discover whether the incident is actually a breach or is just distorted alarm for you.
You don’t need to be a health care industry for suffering through a health information breach. According to Verizon’s PHI Data Breach Report of 2015, almost 90% of industries from every sectors have had protected health information. The companies which becomes the victims of PHI breach could face negative consequences like regulatory fallout. Protected health information ( PHI) is personally identifiable information regarding health which is collected from an individual and is covered under many state, federal disclosure laws. HHS expects your response before a breach happens, so we suggest you to include this in your HIPAA Compliance Plan. This is regarded as the best way to safeguard yourself from breach. Here are few guidelines to moderate your breach:
Performing Risk Analysis
You need to conduct risk analysis quickly and comprehensively. Here is the list of thing you should consider:
- Date of starting and ending of breach?
- Date of discovering the breach
- How many people are getting affected?
- Sort of breach that has occurred – Improper disposal, Hacking, Theft, Loss and unauthorized disclosure.
- The place where breach has occurred
- Category of PHI involves – Demographic, Clinical, Financial and Other.
When you review these information, you end up grasping a better understanding of whether it really took place or what has happened.
In case, you have discovered that it’s a breach together with a transpired criminal activity then you should immediately contact your local authority.
Patients Notification
Each and every patient should be notified through U.S. Mail if any breach takes place. It will not be applicable in case you have marked off that all notifications will be send via email in your Notice of Privacy Practices.
If you choose to send notifications electronically, all your patients must sign off and agree on this communication method. We recommend you to include clause like this in your plan as it will save your time and money. You need to contact Total HIPAA in order to make sure it is properly laid.
Remember to add these point in your Patient Notification:
- Short description of the breach, date of discovering breach and date of the breach.
- Type of unsecured PHI intricate ( name, DOB, address, treatment codes, health information etc.)
- A short explanation of what entity is doing to scrutinize, mitigate and protect the breaches.
Clause In Business Associate Agreement
Many times business associates are also responsible for breach. This could result in opening up an audit, according to the Common Agency Provision from HHS under Omnibus Ruling. You can add a clause in Business Associate Agreement which will state that in case of breach of information it is mandatory to inform you within 15 days. Make sure to get a complete review of the account from your business associates and communicate all the information which is relevant to the sick person in order to protect them.
You need to keep these points in your mind to avoid being the victim of breach. Nowadays, many medical practices are becoming hacks victims, lost devices, malware attacks and negligence of the employees. In order to avoid the negligence of the staff, train and test staff on the procedures and policies of HIPAA. They need to understand the importance of their role in protecting information. Even your decision of outsourcing if not taken with care can make you the breach victim. According to security firm Trustwave two thirds of breaches are caused by wrong bad outsoucring decsion.You need to be smart in choosing your reliable outsourcing partner and by planning out how to deal with a problem even before it occurs. This plan will save your time, money and mitigate any breach at a faster speed.