A Primer in Four Parts on Breach under HIPAA and HITECH Act Rules: Part 1

 

June 11, 2015.   In recent posts, HIPAA Safeguard has discussed the critical importance of having cyber security insurance in place and supporting the underwriting process for such insurance by conducting a risk analysis and implementing safeguard policies and procedures.  In this four part series, HIPAA Safeguard discusses the definition of breach in the HIPAA/HITECH Act healthcare environment, factors in determining a reportable breach, breach notification requirements, and creating a safe harbor from the consequences of unsecured protected health information (PHI) that is breached.  In this part, we present the definition of breach from the January 25, 2013, so-called Omnibus Final Rule [also referenced in the text as 45 FR ] that is in the Code of Federal Regulations (CFR) at 45 CFR 164.402:

 

 

 

AHIMA Survey Indicates Healthcare Industry Lags on Implementing ‘Information Governance Policies and Procedures’

On May 20, 2014, iHealthBeat, a service of the California HealthCare Foundation, published preliminary results from a survey conducted by the American Health Information Management Association (AHIMA) in an article entitled:  “Survey:  Health Care Sector Lags in Information Governance Programs.”  The article is available online at:  http://www.ihealthbeat.org/articles/2014/5/20/survey-health-care-sector-lags-in-information-governance-programs, and the text of the article is reproduced here:

 

A Christmas Present to Avoid by Planning Ahead to Achieve HIPAA/HITECH Act Security Compliance

On December 24, 2013, a New England dermatology practice agreed to pay a financial penalty of $150,000 to HHS as part of a resolution agreement and corrective action plan“for not having policies and procedures in place to address the breach notification provisions of the [HITECH Act]” following theft of an unencrypted thumb drive containing electronic protected health information (ePHI). While the practice reported to HHS the breach of its ePHI, the required OCR investigation thereafter indicated that the practice had not performed a risk analysis as part of its security management process until after the breach, did not have written policies and procedures implemented until after the breach, and had not trained its workforce members on those policies and procedures.

The Biggest Risk for Health Care Organizations

“The biggest risk for health care organizations is to not effectively identify, mitigate, manage and finance risks from an enterprise perspective…. An enterprise risk approach will identify for each health care organization its biggest risk. In addition, technology in general is a big risk for health care organizations. Oftentimes, technology advances more rapidly than organizations can handle...

Categories



Archives

  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)