Media notification is required when a breach of more than 500 records has occurred. The Interim Final Rule preamble discusses how the U.S. Department of Health and Human Services (HHS) expects the media to be notified in case a breach of over 500 records occurs. Note that HHS considers media notification to be relative to where the residents live, not the location of the covered entity or business associate.
If the residents in the unsecured protected health information (PHI) live in a particular city the breach notification should be sent to the prominent media outlet serving that city. A prominent media outlet could be a television station or newspaper (no preference is given).
If the residents in the unsecured protected health information (PHI) are spread across a state the prominent media outlet must serve the entire state.
If the total amount of records breached is over 500 but the residents live in multiple states and not more than 500 are in any one state then media notification is not required. Although media notification is not required, notification to the individuals is still required.
If the total amount of records breached is over 500 in more than one state media notification is required to the prominent media outlet in each state.
The content in the media notification is identical to the content required for individual notification:
A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
Any steps individuals should take to protect themselves from potential harm resulting from the breach.
A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web address, or postal address.
..
HHS expects the notification to the media to be in form of a press release.
The new breach notification guidelines go into effect on September 23rd, 2009. Even though breach notification goes into effect on 9/23/09, the Interim Rule states that civil penalties will not be imposed until February 18th, 2010. The government is aware of the ambiguity and clearly states that it has discretion on imposing sanctions for failure to provide notification in case of a breach notification for breaches occurring before 2/18/10.
..
During the 180 period between 8/2009 and 2/2010 covered entities have the perfect opportunity to review the data stored on their IT systems. The Interim Rule is concerned specifically with Data in Motion, Data in Use, Data at Rest, and Data Disposed. Experior can help determine the best plan of action to implement encryption in your IT systems to protect your organization from breach notification requirements.
According a study performed by The Ponemon institute, which is also quoted by the Department of Health and Human Services in the Interim Final Ruling on Breach Notification, the total cost of a data breach is an average of $202 per record (of which an $152 pertains to indirect cost including abnormal turnover or churn of existing and future customers). A breach of just 499 records could cost $100,798 over the long term. The same report states that health care and financial services are the two industries experiencing the highest average rate of churn. It should be noted that, according to the same study, lost or stolen laptops/mobile devices account for 35% of all data breaches.
..
Laptop and mobile device encryption technology is readily available. Implementing encryption in other vulnerable areas such as file shares, removable storage, and even e-mail greatly reduces the potential for invoking your breach notification plan. By reducing the availability of unsecured protected health information (PHI) in your IT systems you can greatly reduce the chances of having to notify individuals in case of a breach.
An important part the interim final rule is the decision that encryption is the only acceptable technology to make protected health information (essentially, patient records) “unusable, unreadable, or indecipherable to unauthorized individuals”. The preamble to the rule explains that even though other methods (such as access control) can continue to be used, if a breach occurs and the protected health information is disclosed to unauthorized individuals a breach notification is required.
Breach notifications are essentially categorized as “under 500″ and “over 500″ records. If a breach occurred to under 500 records then covered entities must maintain a log of the breach and notify the patients. If a breach over 500 records has occurred then not only patients need to be notified but also major media outlet and HHS. In addition, a hotline must be established so that people can call and obtain more information about the breach (notification procedures are specified in the HITECH Act, Section 13402). HHS can issue fines and attorneys general of each state are empowered to pursue these types of breaches on a criminal level.
The government is clearly serious about patient record privacy to encourage covered entities to move paper records to electronic records as part of its overall healthcare reform efforts.
Copyright 2008-2011 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8c6c8f69-fa59-4034-bafb-0bbd62910381)
