HIPAA Breach Practices and Procedures

The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, is a national standard for electronic healthcare transactions and code sets, unique health identifiers, and security. These regulations aim to keep medical patients’ information secure. Companies including health plan providers, health care clearinghouses, and health care providers must follow these standards and procedures. If these companies fail to follow these regulations, they will face large monetary fines or even jail time.

Essentially, a breach is any act that compromises the security and / or privacy of protected information. This includes any access, use, or disclosure of information which threatens the financial, reputational, or other attributes of a protected individual. Exceptions to these regulations include: unintentional violations made in good faith and within the scope of authority, inadvertent disclosure between two authorized authorities, and disclosures made to people who authorities believe won’t retain the information.

When a breach occurs, businesses should adhere to the following process. It is important to keep record of these steps in order to demonstrate compliance. In the case of one of the above exceptions, businesses must document a risk assessment in regard to the incident, which demonstrates the probability of compromised data:

  • Individual notice: Depending on your contracts, businesses must reach out to affected individuals through first class mail or email to inform them of what breach occurred, what information was involved, the steps affected individuals should follow, and the violating company’s contact information. If there are multiple victims of whom 10 or more have out-of-date contact information, the company must post the notice on their website’s home page for a minimum of 90 days or provide notice in major print or broadcast media. Any incompliant businesses must create a phone number for customers to call to enquire about their specific information’s security which also must remain active for 90 days. All of these steps must be taken within 60 days of the breach’s discovery.
  • Media notice: If more than 500 residents are affected, businesses are required to notify major media outlets. It is recommended that this information is presented in a press release and required that it follows the same 60 day maximum timeline as individual notices. The information included should mirror that which is outlined in the individual notices.
  • Notice to the Secretary: Because this is a government regulated process, it is important for companies to also notify the Secretary of breaches. This form can be completed online on the HHS website. If more than 500 individuals were affected, the notification must follow the breach within 60 days, but if less were affected, annual reporting is acceptable.

It is required that businesses put in place written policies and procedures to protect patients’ rights and the businesses are required to train their employees on the HIPAA policies and procedures. Sanctions must be developed which impose appropriate punishments against noncompliant staff members. Here at Percento Technologies, we can help ensure your business’ HIPAA compliance is up to date and can increase your customers’ security. We have experienced specialists on staff, trained to help your business remain in line with these strict regulations. If you’re interested in learning more about how we can help you avoid costly breaches, give us a call today!