The healthcare industry is built on trust. Your patients entrust you with their data, and you take great pains to ensure that it is protected. Nonetheless, no matter what the size and scope of your Kansas practice, breaches can happen. That’s why it’s important it to know what to do if you experience a healthcare data breach and how you can protect your practice for the future.
Here’s how your medical practice should respond in the event of a healthcare data breach:
The Official Breach Rule
HIPAA compliance mandates that healthcare facilities implement cybersecurity measures to ensure data remains protected. These measures are outlined in section 45 CFR §§ 164.400-414 of HIPAA regulations and require that you notify all affected parties in the event that unsecured protected data is compromised.
The first thing your practice will need to do if you have experienced a healthcare security breach is to determine whether or not the breach is high-risk and falls under the official breach rule. The key to a breach as defined by HIPAA is that it must concern unsecured protected health information. This means that data that is encrypted or unreadable is not subject to this rule. Assess the breach based on the following factors:
- The nature of the information involved and the extent of the breach.
- Whether the information was actually viewed or obtained.
- Which unauthorized person(s) used this information and to whom it was disclosed.
- Whether the risk to the information has been mitigated and to what extent.
The more sensitive the data and the more thorough the attack, the higher risk the breach is. The people who have access to the data following the breach and whether or not you can resecure it are major factors in determining whether the breach is high-risk.
If your assessment reveals that your organization’s health information was compromised, you are required to issue notifications to all affected parties.
Who You’re Required to Notify
If a data breach falls under the official breach rule, you’ll need to send notifications to the following: any affected individuals and business associates, the Secretary of the US Department of Health & Human Services (HHS), and the media if the breach is high-risk enough.
You may send notifications by first-class mail or email to individuals. You may not send electronic notifications unless you have individuals’ consent. Your time limit for sending these notifications is 60 days and your notification must include the following information:
- What information was accessed in the breach.
- What steps the individual should take to protect themselves.
- What you’re doing to determine the cause of the breach.
- How you plan to resolve the issue.
If any of your business associates are also affected by a breach of protected information, they need to inform your practice within 60 days. It is also important that they disclose which of their personnel, clients, or other individuals associated with their business were impacted by the breach so they can send out notifications as well.
The Secretary of HHS
You are also required to notify the Secretary when a breach of unsecured protected health information occurs. Your notification must be sent within 60 days if more than 500 people are affected. In any other case, the notification can be sent with your yearly report to the Secretary.
You can file an official Breach Report by using this link: Submit a Notice to the Secretary of HHS for a Breach.
In many cases, sending notifications to the first two parties is sufficient. But if more than 10 people are affected by the breach, you’ll need to publish an official notice on your website for up to 3 months or notify the media. A press release would be in order if over 500 people were affected by the breach.
Low-Risk Breaches Not Requiring Notification
There are some situations where a breach may occur but you do not necessarily need to send out notifications to affected parties. Your breach assessment may reveal that the scenario is low-risk; for example, the data was not actually viewed or is in an unreadable format.
Here are some examples of low-risk situations that are not considered security breaches according to HIPAA regulations:
- The data was accidentally shared between two parties who would otherwise be authorized to access the information.
- An employee or associate accidentally accesses or uses protected health information in good faith. This is not considered a breach if it is within the scope of their job duties.
- The unauthorized person who breached the data could not save or retain it.
How to Assess a Breach
Internal IT personnel may be able to assess the breach in order to determine whether the scenario is high-risk or low-risk and falls under the official breach rule. However, if you have no internal IT team, you’ll need to consult a cybersecurity professional. You’ll likely want to hire a Managed Service Provider (MSP) who specializes in healthcare IT services. These outsourced professionals have the tools and resources needed to monitor and maintain the security of your information systems.
How to Mitigate the Effects of Future Data Breaches
Being the victim of a data breach can be frustrating if not severely damaging to your practice. Though you can’t always resolve every issue a healthcare data breach has caused, you can mitigate the effects future cyber attacks have on your practice.
Your first priority after suffering a data breach should be to discover what vulnerabilities exist in your cybersecurity and eliminate them. By doing this, you can limit damage that occurs in the case of a future breach. There are several steps your practice can take to minimize the damage caused by a breach:
- Reevaluate your cybersecurity plan and acquire more IT personnel and resources as needed. An IT Managed Service Provider who specializes in HIPAA compliant IT can assist you in restructuring that plan to better protect against future cyber attacks.
- Conduct a thorough investigation and audit following a breach so you can discover where your security is lacking. Implement defensive security measures to combat these weaknesses.
- Encrypt your protected health information and ensure it is stored in an unreadable or unusable form. That way, the data is useful to attackers who acquire it.
To speak to our healthcare-focused IT Professionals in Kansas about what your practice can do to maintain HIPAA-compliant cybersecurity, contact us today.