Under HIPAA, when a breach of unsecured PHI takes place, the covered entity that sustains the breach must notify affected individuals of the breach. Notification must be provided through a breach notification letter. The content requirements and a HIPAA sample breach notification letter are discussed below. Patient Notification in Breach Notification Letters Prior to 2009, many breaches of unsecured PHI went unreported, [...]
You may have been hearing a lot about HIPAA breach notification reporting lately and for a good reason. The deadline to report small-scale breaches to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is March 1st. When reporting breaches to the HHS OCR, they require you to submit a HIPAA Breach Notification Form. Before completing the form, [...]
A recent policy statement by the Federal Trade Commission (FTC) has dramatically expanded coverage and penalties under the FTC Breach Notification Rule for companies that develop and offer mobile health applications and services for consumers. History of the FTC Breach Notification Rule As issued by the FTC in 2009, the Breach Notification Rule required PHR vendors to notify the Federal Trade Commission and any affected individuals upon: [...]
Hopefully, you’ve been keeping a list of your minor breaches that occurred in 2021 because now is the time to report them to the Department of Health and Human Services. As the 2022 HIPAA breach notification rule deadline approaches, it is important that you know the deadline and understand what incidents need to be reported. When is the 2022 HIPAA Breach Notification [...]
Is there such a thing as a leap year law? Once every four years (e.g., 2000, 2004, 2008, 2012), there is a February 29th. Years with this extra calendar date are, of course, called leap years. The existence of an extra day in a year can change a legal deadline. This year, because there is an extra day, February 29, the breach notification deadline for [...]
Even when a covered entity or business associate maintains an effective HIPAA compliance program, there are still instances where unintentional HIPAA violations occur. These violations can take various forms, such as an employee accidentally accessing patient records or sending sensitive information to the wrong recipient. This article examines how covered entities and business associates should appropriately respond in case of accidental PHI disclosure or other examples [...]
The United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) provides an online HIPAA Violation Complaint Portal Assistant that allows individuals who believe their HIPAA rights have been violated to report the incident. Users may input the following information using the Complaint Portal Assistant: When they learned of the most recent HIPAA violation Whom the complaint about [...]
Researchers for the journal Health Services Research recently conducted a study to determine whether there is a relationship between hospital data breaches and patient deaths. Of particular interest was whether or not remediation efforts for hospital data breaches diminished the quality of hospital care. Remediation Efforts for Hospital Data Breaches: Related to Quality of Patient Care? A hospital data breach is the unauthorized acquisition, access, use, or disclosure, [...]
In its’ most recent HIPAA settlement, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a $2.175 million HIPAA fine to Sentara Hospitals. The HIPAA settlement stemmed from a breach in April 2017 that affected 577 patients. In addition to the fine, Sentara Hospitals has agreed to adhere to corrective action plans, to be submitted to HHS for approval. Would [...]
Alive Hospice, based in Tennessee, experienced a healthcare breach due to phishing emails. A phishing email occurs when a hacker disguises themselves as a trusted user, prompting recipients to click on a malicious link, allowing access to their email account. The incident was reported on July 3rd and affected 608 patients. Under the Health Insurance Portability and Accountability Act (HIPAA), Alive was required to mail data breach notification [...]
