OCR posts the breaches to a public Web site. And there have been a lot of postings: by mid-June, 288 listings had filled what is called the "Wall of Shame" in just an 18-month period.
Experts who make their living helping covered entities with the aftermath of a major breach say there are several factoids everyone should keep in mind:
* You'll have a breach if you haven't already. You'll have more than one. While only major breaches get listed on a public Web site, all incidents affecting protected health information must periodically be reported to the feds. As of mid-May there had been 31,000 reports of smaller breaches since September 2009;
* The cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach;
* Privacy and security officers, often ignored and unfunded before a breach, suddenly find themselves to be appreciated and getting substantial budgets after a major breach;
* How an organization behaves after a major breach helps determine how well it recovers from the breach;
* Most states have their own breach notification laws that may be different from the federal rule, and many require the reporting of breaches to one or more state agencies, such as the insurance department, health department and/or attorney general; and
* Your breach remediation plan, if you have one, likely is unrealistic.
A feature story in the August issue of Health Data Management examines the steps organizations should take and the challenges they face following a major breach of protected health information.
Be the first to comment on this post using the section below.