A recently released breach notification guide from the Workgroup for Electronic Data Interchange aims to help healthcare organizations assess whether notification is required under the updated HIPAA Omnibus Rule.
The update, which went into effect last year, replaces the breach notification rule's "harm" threshold with a more objective standard that requires considering at least four factors, including the nature and extent of the personal health information involved, the likelihood that the data was actually accessed and the extent to which the risk to the PHI has been mitigated.
It's pretty basic information, security expert Kate Borten, principal of consulting firm The Marblehead Group, told HealthcareInfoSecurity, though most larger and risk-averse organizations likely already have this covered. It's more likely to be useful to smaller organizations and business associates.
"It's important for each organization to identify what breach laws [including state regulations] it is subject to, and add breach determination and notification details to their incident response plan," Borten said, adding that smaller organizations tend not to have staff assigned and trained to handle breach reporting.
Creating a documented response plan, but failing to test it means you really aren't prepared, privacy and security specialist Rebecca Herold, a partner at the Compliance Helper and CEO of The Privacy Professor, says in the article.
Herold cited other mistakes, including:
- Not including all the key stakeholders necessary for breach response, including the public relations team and physical security safety personnel.
- Lack of targeted and in-depth training for those on the breach response team.
- Copying another organization's breach response plan and using it verbatim.
The U.S. Department of Health & Human Services' "wall of shame" website lists more than 800 health data breaches that affected 29.3 million people since September 2009, with 70 breaches reported in January alone. At the same time, healthcare security pros say their departments are understaffed.