Covered entities and their business associates need to understand the basics of how HIPAA data breaches are determined, and what they can do to keep information secure.
As more healthcare organizations implement new technologies, connect to health information exchanges, and adopt electronic health record technology, they are potentially exposing themselves to more online threats and potential HIPAA data breaches.
Patient information, in particular PHI, will continue to become more accessible to providers —but also more readily accessible to other unauthorized third parties and hackers.
How can covered entities and their business associates ensure that they remain current with the latest technological advances while maintaining PHI security? Can hospitals guarantee that they will never be breached? Are ransomware attacks also considered HIPAA violations?
By understanding the basics of what constitutes a HIPAA data breach, healthcare organizations will be better able to create comprehensive data security plans applicable to their own daily operations.
What constitutes a PHI breach under HIPAA regulations?
Covered entities must conduct a risk assessment using the following four factors to determine that there is a low probability that PHI was compromised:
First, determine the nature and extent of PHI involved. This includes finding the types of identifiers and the likelihood of re-identification. Second, determine who the unauthorized individual was who used the PHI. Facilities need to determine who received or viewed the data, and whether they were authorized or not. Third, determine if the PHI was actually acquired or viewed. Fourth, determine the extent to which the risk to the PHI has been mitigated.
The Department of Health & Human Services (HHS) has also identified three exceptions to the breach definition.
First, if a “workforce member or person acting under the authority of a covered entity or business associate” unintentionally accesses or acquires PHI “in good faith and within the scope of authority,” then it is not considered a HIPAA breach.
“The second exception," the federal agency continues, "applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates."
Finally, if the covered entity or business associate “has a good faith belief” that the unauthorized party that received the PHI would not have been able to retain the data, it is not considered a HIPAA data breach.
A key aspect to the HIPAA Breach Notification Rule, though, is that the notification requirements apply to unsecured PHI or when PHI “has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
“Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations,” HHS explains. “Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information.”
Are healthcare ransomware attacks HIPAA data breaches?
With more healthcare organizations falling victim to ransomware attacks, one question has emerged: Are healthcare ransomware attacks considered a HIPAA data breach?
The answer is not a straightforward one. It could be argued that if a computer network holding PHI was accessed and the data simply encrypted, it was not necessarily viewed or obtained by a third party. The PHI was simply made inaccessible, but it was not a certainty that the unauthorized third party actually did anything with the information.
Source
No comments:
Post a Comment