When Do Providers Need to Report a Data Breach?
The Workgroup for Electronic Data Interchange recently published guidance on required steps to take to determine if a breach of protected health information must be reported to affected patients and the Department of Health and Human Services.
The Workgroup for Electronic Data Interchange recently published guidance on required steps to take to determine if a breach of protected health information must be reported to affected patients and the Department of Health and Human Services.
The guidance covers the HIPAA Omnibus Rule enacted in 2013 that changed some breach notification procedures, including a presumption that a breach is presumed to have occurred when discovered, until an entity can demonstrate a low probability that PHI has been compromised.
Redspin Report: 2014 a Bad Year for Health Data Breaches
For instance, there are several ways that notification need not be made following a breach. Compromised information may turn out to not include protected health information, or compromised PHI is unusable, unreadable or indecipherable to unauthorized persons through encryption or other means. There also are three scenarios where unintentional access to PHI or inadvertent disclosure need not be reported because the incidents involved trusted authorized persons or the information disclosed is not retainable by the recipient.
Absent those exemptions, the guidance then walks through a risk assessment to determine the probability of a breach and the decision processes necessary to determine if the breach requires notification. Finally, there are a series of procedures to implement improvements to the security and confidentiality of protected health information. The guidance is available here.
The guidance covers the HIPAA Omnibus Rule enacted in 2013 that changed some breach notification procedures, including a presumption that a breach is presumed to have occurred when discovered, until an entity can demonstrate a low probability that PHI has been compromised.
Redspin Report: 2014 a Bad Year for Health Data Breaches
For instance, there are several ways that notification need not be made following a breach. Compromised information may turn out to not include protected health information, or compromised PHI is unusable, unreadable or indecipherable to unauthorized persons through encryption or other means. There also are three scenarios where unintentional access to PHI or inadvertent disclosure need not be reported because the incidents involved trusted authorized persons or the information disclosed is not retainable by the recipient.
Absent those exemptions, the guidance then walks through a risk assessment to determine the probability of a breach and the decision processes necessary to determine if the breach requires notification. Finally, there are a series of procedures to implement improvements to the security and confidentiality of protected health information. The guidance is available here.
More for you
Loading data for hdm_tax_topic #reducing-cost...