South Florida Hospital News
Monday May 25, 2020

test 2

October 2008 - Volume 5 - Issue 4




Are You Ready For A Security Breach?

Reports of privacy and security breaches usually bring to mind laptop thefts or computer hacking. Yet many providers remain at risk for inadvertent breaches, such as mailings to incorrect beneficiaries, misdirected paper faxes or electronic transmissions containing patient information, or unattended workstations with patient records on display. When a breach has been identified, prompt action is essential to protect patients, minimize the risk of civil and criminal penalties, and ensure that the health care provider complies with Federal and state privacy requirements.

The Health Insurance Portability and Accountability Act of 1996’s ("HIPAA") Privacy Rule requires providers to maintain the security and confidentiality of protected health information ("PHI"). Whether paper or electronic, PHI includes any information relating to a patient’s physical or mental health, the provision of health care, or payments for the provision of health care. Under HIPAA’s Security Rule, covered entities ("CE") must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity and availability of electronic PHI against any reasonably anticipated threats. Moreover, CEs must protect against any reasonably anticipated prohibited uses or disclosures and ensure compliance with the Rules by its workforce.

A CE must implement reasonable and appropriate policies and procedures to comply with the Rules’ standards and implementation specifications. If, however, an organization suffers a security breach, HIPAA requires specific responses. First, CEs must notify the patient and/or the Department of Health and Human Services Office for Civil Rights. Furthermore, Florida law imposes certain notification requirements when there has been a security breach. The Security Rule also requires that CEs mitigate, that is, take steps to limit the harmful effect of any disclosure and ensure future security. These steps may include:

  1. Conducting a thorough investigation. CEs must take immediate action to stop the source of vulnerability, such as, investigating what information has been disclosed and how it was disclosed, then instituting appropriate remedial actions. CEs may consider having an independent third party, such as an attorney, perform this investigation. An attorney’s impartial reports may be received as more credible if it is necessary to report any information to a Federal or state agency.
  2. Implementing training sessions. Use these sessions to inform staff of the duties and obligations to protect PHI and comply with privacy and security policies and procedures.
  3. Notifying victims or potential victims. Prepare a communication plan to provide victims with pertinent information regarding the breach. Legal counsel may assist CEs in assessing the significance of the breach and complying with the CE’s notification obligations.
Although nearly all healthcare providers are required to comply with the HIPAA Security Rule, the law provides flexibility for CEs to institute measures that are appropriate and reasonable for their practices. Nonetheless, CEs should not be lulled into complacency by the permissiveness and flexibility of the Security Rule. A provider who fails to adequately protect PHI may be subject to civil monetary penalties and criminal penalties. Thus, when a provider learns of a security breach, it must quickly identify how the breach occurred and implement appropriate corrective measures.
Vanessa A. Reynolds is Of Counsel in the Fort Lauderdale office of Broad and Cassel and is a member of the Firm’s Health Law Practice Group. She can be reached at (954) 764-7060 or Joanne Charles also is a member of the Health LawPractice Group in the same office of the statewide firm. She can be reached at
Share |