Breach Notification Under HIPAA – When Health Information is Compromised

Even though provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were fashioned to promote the electronic interchange of health information, it is well understood that protecting the privacy and security of patient information is a responsibility of every “covered entity.” Covered entities include healthcare providers who conduct certain electronic financial and administrative transactions (i.e., electronic claims submission).

Unfortunately, Protected Health Information (PHI) can become compromised in an instant: lost or stolen laptops, jump drives, iPhones, and other external portable devices; misdirected faxes, emails, and regular mail; workforce members improperly accessing (a/k/a “snooping”) PHI within an organization; posting PHI without authorization on social media; texting patient photos; conversing about patients in public places; and the list goes on and on.

When protections fail and the PHI is compromised, HIPAA requires covered healthcare providers to notify affected patients, the Secretary of Health and Human Services (HHS), and, if the breach involves 500 or more individuals, the media. Similarly, a covered entity’s “business associate” must notify the covered entity of such breaches.

But there are steps you can take ahead of time to prepare for a breach, including conducting a Breach Risk Analysis. For details – and for specifics on how to respond to a breach once it’s occurred – visit this article in its entirety starting on page 1 in our Spring 2015 Dateline.

The piece, from which we’ve taken this excerpt, was written by Laurel E. Baum, Esq., from Hancock Estabrook, LLP.