In a recent post, we covered HIPAA Compliance, and everything your business needs to know if it is handling any kind of data related to patients having or that have had medical treatment. This data can be medical records, but it can also be billing and contact/identity information.
Accurately measure risk & automate compliance with Rivial Security.
The moment your organization learns of the breach, you must do what is necessary to stop it. For example, if you learn that you’re giving access to an employee who does not need it, you must revoke access immediately.
In some cases, when the violation is this limited, the steps for how to handle HIPAA violations stop there. You can document the situation for your annual reports, and then go about business as usual. The reason for this is because the breach involved what The U.S. Department of Health and Human Services (HHS) refers to as, the “unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”
However, this is not always the case. More often than not, you’ll need to complete the other three steps.
Accurately measure risk & automate compliance with Rivial Security.
You need to investigate how many patients were impacted. If possible determine:
The more information you can gather at this stage the better. What you learn can help you determine the best means for how to proceed as well as how to prevent violations from happening in the future.
If fewer than 500 patients were impacted, you are not obligated to inform the HHS of the occurrence immediately. You will need to document what has transpired and file the report of the breach with the HHS by the end of the calendar year the breach happened in.
If more than 500 patients had their rights violated, notifications must happen immediately. As HHS explains, in the event your company’s violation impacts more than 500 people within a single “State or jurisdiction,” you may need to notify patients that were impacted, local media, and the secretary of the HHS. For full details on Breach Notification Requirements, visit the HHS website.
Failure to notify the HHS can result in a fine of $10,000 per violation or more if the violation is discovered later. This is why self-reporting is critical. The exact number of the fine will be dependent on whether the violation was an accident, your company was unaware of the breach, or if it was a result of willful neglect. Another factor in determining the final number of the fine is whether the breach has been corrected or not.
Start by running an internal IT security audit, and an IT risk assessment. Taking these steps will bring to light current risks to data as well as potential means of mitigating and preventing data leaks. During your audit, you will want to do things like change passwords, find out who has access to what, and restrict/revoke access where necessary.
Accurately measure risk & automate compliance with Rivial Security.
Additionally, you should make it clear to personnel that data breaches and incidents that can result in HIPAA violations will not be tolerated. Inform your personnel that violations can result in suspension and/or termination, and make sure that any third-party vendors are aware of your strict security protocols as well.
Even when companies like yours are diligently working to ensure data breaches won’t be an issue, they can still happen. That is why the best method for how to handle HIPAA violations is to actively seek out the means of preventing them from occurring in the first place.
For assistance determining where your vulnerabilities are or patching data leaks, contact Rivial Security today.
Accurately measure risk & automate compliance with Rivial Security.
Lucas Hathaway: 22 Apr 2024
Flying under the radar for years, BEC attacks have been slowly climbing the ranks as one of the most popular tactics amongst cybercriminals to...
Lucas Hathaway: 22 Mar 2024
Originally launched in 2014 and updated in 2018. NIST CSF 2.0 (released in February 2024) builds on ten years of cybersecurity progress. It expands...
Lucas Hathaway: 11 Mar 2024
Year after year, the responsibilities of security leaders seem to grow. They must develop and implement security policies, train their organization...
.png?width=755&height=205&name=Rivial%20Logo%202020%20(72dpi).png "Rivial Logo 2020 (72dpi)")
Randy Lindberg