June 11, 2015. In recent posts, HIPAA Safeguard has discussed the critical importance of having cyber security insurance in place and supporting the underwriting process for such insurance by conducting a risk analysis and implementing safeguard policies and procedures. In this four part series, HIPAA Safeguard discusses the definition of breach in the HIPAA/HITECH Act healthcare environment, factors in determining a reportable breach, breach notification requirements, and creating a safe harbor from the consequences of unsecured protected health information (PHI) that is breached. In this part, we present the definition of breach from the January 25, 2013, so-called Omnibus Final Rule [also referenced in the text as 45 FR ] that is in the Code of Federal Regulations (CFR) at 45 CFR 164.402:
On May 20, 2014, iHealthBeat, a service of the California HealthCare Foundation, published preliminary results from a survey conducted by the American Health Information Management Association (AHIMA) in an article entitled: “Survey: Health Care Sector Lags in Information Governance Programs.” The article is available online at: http://www.ihealthbeat.org/articles/2014/5/20/survey-health-care-sector-lags-in-information-governance-programs, and the text of the article is reproduced here:
On December 24, 2013, a New England dermatology practice agreed to pay a financial penalty of $150,000 to HHS as part of a resolution agreement and corrective action plan“for not having policies and procedures in place to address the breach notification provisions of the [HITECH Act]” following theft of an unencrypted thumb drive containing electronic protected health information (ePHI). While the practice reported to HHS the breach of its ePHI, the required OCR investigation thereafter indicated that the practice had not performed a risk analysis as part of its security management process until after the breach, did not have written policies and procedures implemented until after the breach, and had not trained its workforce members on those policies and procedures.
“The biggest risk for health care organizations is to not effectively identify, mitigate, manage and finance risks from an enterprise perspective…. An enterprise risk approach will identify for each health care organization its biggest risk. In addition, technology in general is a big risk for health care organizations. Oftentimes, technology advances more rapidly than organizations can handle...