Reports of privacy and security breaches usually bring to mind laptop thefts or computer hacking. Yet many providers remain at risk for inadvertent breaches, such as mailings to incorrect beneficiaries, misdirected paper faxes or electronic transmissions containing patient information, or unattended workstations with patient records on display. When a breach has been identified, prompt action is essential to protect patients, minimize the risk of civil and criminal penalties, and ensure that the health care provider complies with Federal and state privacy requirements.
The Health Insurance Portability and Accountability Act of 1996s (“HIPAA”) Privacy Rule requires providers to maintain the security and confidentiality of protected health information (“PHI”). Whether paper or electronic, PHI includes any information relating to a patients physical or mental health, the provision of health care, or payments for the provision of health care. Under HIPAAs Security Rule, covered entities (“CE”) must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity and availability of electronic PHI against any reasonably anticipated threats. Moreover, CEs must protect against any reasonably anticipated prohibited uses or disclosures and ensure compliance with the Rules by its workforce. A CE must implement reasonable and appropriate policies and procedures to comply with the Rules standards and implementation specifications. If, however, an organization suffers a security breach, HIPAA requires specific responses. First, CEs must notify the patient and/or the Department of Health and Human Services Office for Civil Rights. Furthermore, Florida law imposes certain notification requirements when there has been a security breach. The Security Rule also requires that CEs mitigate, that is, take steps to limit the harmful effect of any disclosure and ensure future security. These steps may include:- Conducting a thorough investigation. CEs must take immediate action to stop the source of vulnerability, such as, investigating what information has been disclosed and how it was disclosed, then instituting appropriate remedial actions. CEs may consider having an independent third party, such as an attorney, perform this investigation. An attorneys impartial reports may be received as more credible if it is necessary to report any information to a Federal or state agency.
- Implementing training sessions. Use these sessions to inform staff of the duties and obligations to protect PHI and comply with privacy and security policies and procedures.
- Notifying victims or potential victims. Prepare a communication plan to provide victims with pertinent information regarding the breach. Legal counsel may assist CEs in assessing the significance of the breach and complying with the CEs notification obligations.
Although nearly all healthcare providers are required to comply with the HIPAA Security Rule, the law provides flexibility for CEs to institute measures that are appropriate and reasonable for their practices. Nonetheless, CEs should not be lulled into complacency by the permissiveness and flexibility of the Security Rule. A provider who fails to adequately protect PHI may be subject to civil monetary penalties and criminal penalties. Thus, when a provider learns of a security breach, it must quickly identify how the breach occurred and implement appropriate corrective measures.
