|
HIPAA | Health Insurance Portability Accountability Act
HIPAA Data Breach Notification Rules
PUBLISHED ON AUGUST 24, 2009
The US Health and Human Services Department fulfilled their obligations under ARRA by publishing a rule on notification requirements related to data breaches. Here are the high points:
• The rule does not replace or modify any guidance already provided in the Security Rule.
• Unsecured protected health information is PHI that is not secured using an HHS-specified technology or methodology
• Only encryption and destruction are technologies recognized in the rule that deny unauthorized individuals access to accidentally disclosed PHI (exposure of encrypted or destroyed information is not considered a breach)
• Redaction of paper records or digital security measures such as firewalls, password protection or other access controls identified in the security rule are not recognized as preventing accidental disclosure. If these protection measures are somehow rendered ineffective and an unauthorized person gains access to PHI, this would be considered a breach even though the protection methods used is compliant with the security rule.
• Encryption methods used with data at rest should be compliant with NIST 800-111 Guide To Storage Encryption Technologies For End User Devices.
• Encryption technologies used with data in motion should be compliant with NIST 800-52 for Transport Layer Security; 800-77 for IPsec VPNs; 800-113 for SSL VPNs; or others validated by Federal Information Processing Standard 140-2.
• Here are the destruction guidelines for paper and electronic media:
The media on which the PHI is stored or recorded have been destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read
or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-
88, Guidelines for Media Sanitization,\6\ such that the PHI cannot be retrieved.”
• A breach is considered “discovered” by a business associate on the first day it is known.
• The covered entity (client) must be notified in a timely manner and no later than 60 days after the breach is discovered – individuals whose information was potentially breached should be identified if possible.
• Communication should include the following: brief statement of what happened; type of PHI involved in the breach; steps individuals should take to prevent harm from breach; info about the investigation and what is being done to prevent future breaches; and contact procedures individuals can use to find out more information.
• If more than 500 persons are involved the media must be notified
The rule goes into effect on September 23, 2009. HIPAA was enacted in 1996 as part of a broad congressional attempt at incremental health care reform. The law required the United States Department of Health and Human Services (DHHS) to develop standards and requirements for the maintenance and transmission of health information. DHHS’s rules and regulations focus on four primary areas: privacy, security, transaction standards and code sets, and unique Iidentifiers.
HIPAA OVERVIEW
The Privacy Rule requires covered entities to guard against misuse of personally identifiable health information and limit the sharing of such information. The Privacy Rule also grants consumers significant rights regarding the use and disclosure of their health information.
The Security Rule requires covered entities to implement basic safeguards to protect electronic protected health information (“PHI”) from unauthorized access, alteration, deletion, and transmission. The security standards define the administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI.
• Download the HIPAA Wake Up call by clicking the PDF* button below:
"Making it, As Easy as it Should Be"
POUCH Records Management Delivers:
• My Documents when I need them
• Fast, Accurate & Affordable
Call Toll Free: 1 (800) 400 FILE or Click Here to Email
* The above PDF files require the free Adobe Acrobat PDF Viewer. In order to view PDF files on your computer, you must have a PDF reader program installed. Due to Federal requirements for accessibility, PDF files on our site require version 6 or higher. If you do not already have such a reader, you can download a free reader at Adobe's website www.adobe.com Download the free Adobe Reader® Here After installation, you should notice that the Adobe Reader plugin becomes a part of your browser, allowing you to view PDF's from browsers like Internet Explorer and Safari. The reader software will also allow you to open and read PDF's saved on your hard drive or local network drive.
|
