The deadline is approaching for health care providers to comply with the updated Health Insurance Portability and Accountability Act (HIPAA), which specifically addresses medical data breach notification requirements. When a breach occurs – and remember, the experts tell us it is a question of “when” and not “if” – will your response be fast, effective and meet the standards for HIPAA compliance?
You have until Sept. 23 to prepare. The updated Act, announced by the U.S. Department of Health and Human Services (HHS) in January, expands protections of patient health information, and updates standards for medical data breach notification requirements to bring them in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The changes have extended medical data breach accountability to encompass virtually every organization that touches patients’ protected health information. The rules also revise and clarify what constitutes a breach, and remove the harm standard. Previously, HIPAA-covered entities were allowed to forego notification if they could demonstrate the breach posed no significant risk of harm to the individuals whose data had been compromised. With medical identity theft on the rise, it is indefensible to argue that you shouldn’t have to notify breach victims because harm is unlikely.
In a nutshell, you no longer have to wonder if you need to notify patients when their personal information is leaked or stolen from your organization. The updated HIPAA rules make it imperative you do so.
If you haven’t already done it, creating a breach response plan that includes data breach resolution services is the last, most important step, you need to take to achieve HIPAA compliance by the deadline. You wouldn’t advise patients to self-medicate, so why would you try to manage your own remedy when a medical data breach occurs?
To help you get started, download our Data Breach Response Guide, which includes an updated HIPAA/HITECH section.