What Happens After a Data Breach?
The federal health care breach notification rule requires HIPAA covered entities-comprising providers, insurers and vendors who must comply with HIPAA transaction sets-to report breaches of protected health information affecting 500 or more individuals to the Department of Health and Human Services' Office for Civil Rights.
OCR posts the breaches to a public Web site. And there have been a lot of postings: by mid-June, 288 listings had filled what is called the "Wall of Shame" in just an 18-month period.
Experts who make their living helping covered entities with the aftermath of a major breach say there are several factoids everyone should keep in mind:
* You'll have a breach if you haven't already. You'll have more than one. While only major breaches get listed on a public Web site, all incidents affecting protected health information must periodically be reported to the feds. As of mid-May there had been 31,000 reports of smaller breaches since September 2009;
* The cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach;
* Privacy and security officers, often ignored and unfunded before a breach, suddenly find themselves to be appreciated and getting substantial budgets after a major breach;
* How an organization behaves after a major breach helps determine how well it recovers from the breach;
* Most states have their own breach notification laws that may be different from the federal rule, and many require the reporting of breaches to one or more state agencies, such as the insurance department, health department and/or attorney general; and
* Your breach remediation plan, if you have one, likely is unrealistic.
A feature story in the August issue of Health Data Management examines the steps organizations should take and the challenges they face following a major breach of protected health information.