How to Respond to a Healthcare Data Breach in Philadelphia

In the peak of the digital age, cyberattacks are becoming more and more common, and healthcare facilities are unfortunately at the top of hackers’ list of targets. With a slew of sensitive information that’s worth a lot of money to healthcare providers and patients, medical practices attract frequent vicious cyberattacks, especially using ransomware.

No matter how secure you believe your IT systems are, it’s important to be aware of how you should respond in the event of a healthcare data breach. The following article describes how healthcare providers in Philadelphia should respond to a data breach (that is, unauthorized disclosure of a patient’s private health information).

The Official Breach Notification Rule

Under HIPAA regulations, the Breach Notification Rule 45 CFR §§ 164.400-414 mandates that providers and their associates notify certain people when a healthcare data breach occurs. Those you must notify include the individuals affected by the breach, the Secretary of the US Department of Health & Human Services (HHS), and, in some instances, the media.

What Counts as an Official Breach in Philadelphia? 

Before you respond to a breach, you must find out whether it is considered a breach by HIPAA regulations. A breach occurs when there is loss of confidentiality, integrity, or availability of healthcare data, as in the following examples:

• Confidentiality: An unauthorized person viewed the data. This person may be a hacker, a marketing group, or an unintended recipient of a fax or other message.
• Integrity: Someone has logged onto the server and tampered with a patient record, causing doctors to diagnose patients based on incorrect or falsified information.
• Availability: A hospital gets a cryptolocker ransomware virus for several days and is unable to provide records. This qualifies as a breach even if the data was not viewed or modified, since the data became unavailable to patients and providers.

Providers in Philadelphia, therefore, have to make a judgment based on their assessment of the breach to determine if it falls under the Breach Notification Rule. If a practice determines not to notify anyone, it must demonstrate that the probability of having lost unsecured protected information during the breach is low. 

The HHS recommends that organizations consider the following four factors when deciding whether to notify others of a breach: 

• The type of health information concerned, including the identifiers.
• The person to whom unauthorized disclosures may have been made or who used the information.
• Whether any protected patient data was acquired or viewed.
• The extent to which the risk to protected health information is now mitigated.

Organizations (and their associates) are allowed to make a notification of breach without first having carried out a risk assessment. 

What Doesn’t Count as an Official Breach?

While knowing what constitutes a breach is essential, it’s also important that healthcare providers in Philadelphia know which scenarios HIPAA does not consider a violation. 

There are three main cases in which health providers would not need to notify others of a breach: 

1. A member of the organization’s staff unintentionally views a patient’s protected information. If the person who saw the health records did so in good faith and within the scope of their job duties, it would not be considered an official breach.
2. One person who is authorized to view protected information inadvertently shares it with a second authorized person. In this case, there is no need to report a breach, so long as both entities would otherwise be authorized to access said information.
3. The covered healthcare provider has good reason to believe that the unauthorized person who accessed protected information cannot save, store, or disperse the information to others. 

How To Comply With Breach Notification Requirements In Philadelphia

If during your assessment you discover that there has been an official breach, the HHS requires that you make a series of notifications to various persons:

Notify the Individual

If you suspect that unauthorized persons may have viewed patient records, you must inform the affected patient(s), either by first-class mail or email. If you decide to communicate via email, you must obtain the patient’s permission first. This notification must be issued within 60 days of the breach.

If more than 10 patients are affected by the breach, then you must also place a notification on your website for the next three months or inform media outlets and publications which can inform the public on your behalf. 

Notify the Media

HIPAA rules state that if more than 500 people are affected by a healthcare data breach, practices in Philadelphia are required to inform the media. Most healthcare organizations do this via a press release. You must also issue this notice within 60 days.

Notify the Secretary of the HHS

As well as notifying the individuals involved and the media, healthcare organizations must also inform the Secretary of the HHS. You can do this through the HHS website by completing and submitting this electronic Notice of Breach form. If the breach involves more than 500 people, covered entities must notify the Secretary without reasonable delay and within a 60-day timeframe. If the breach involves fewer than 500 people, the covered entity may notify the Secretary on an annual basis, but the entity must still record these breaches.

Notifications from Business Associates

Sometimes business associates suffer breaches of protected health information too. Business associates must follow the same process as you, had you been the agency responsible for the violation. Business associates should provide you with data on which of your patients had their records exposed and issue notifications as well.

How To Minimize The Effect Of A Data Breach

Data breaches are, unfortunately, regular occurrences within the healthcare industry. If your Philadelphia organization has experienced a breach, then you could benefit from using a Managed Service Provider (MSP) . 

Managed IT Service Providers who specialize in healthcare understand how to measure the risks to your patients’ protected data and make appropriate adjustments to your cybersecurity plan. MSPs can help you discover vulnerabilities that exist in your cybersecurity and eliminate them. By working with a healthcare-focused MSP, you can limit damage that occurs in the case of a future breach. 

To speak to our healthcare-focused IT Professionals in Philadelphia about what your practice can do to maintain HIPAA-compliant cybersecurity, contact us today.