Data breaches: Fast facts
Under the Health Information Portability & Accountability Act (HIPAA), physicians must report all breaches involving "the acquisition, access, use or disclosure of protected health information (PHI)" to the U.S. Department of Health and Human Services (HHS).
If the breach impacts more than 500 people, physicians must report the name and state of the entity breached, number of records affected, type and source of the breach and involvement of any external vendors.
When a breach impacts 800 or more people, consider identity-theft protection and media releases.
Do you think you’ve been hacked?
If you think a cybercrook has accessed your patients' electronic health records (EHRs), experts recommended the following steps:
· Stop everything, disconnect your computer from the internet, and turn it off. If possible, unplug your computers from the network and the wall to prevent further damage.
· Call your IT provider to confirm and investigate the breach.
· Contact your HIPAA privacy officer, legal counsel and insurer.
· If you believe an online break-in occurred, call the police. They will contact the Federal Bureau of Investigation if any kind of theft is discovered.
· Contact the Federal Trade Commission, which can advise about reporting the breach to patients. It also offers short-term identity-theft monitoring and may send investigators.
· Notify any impacted patients by letter, explaining what happened and how you're fixing it. In sensitive situations, or if a patient has not disclosed their diagnosis to their family or employer, call the patient before that letter goes out."
· If the breach is large or widespread consider issuing a press release. Many are reluctant to report that they may have been compromised, but silence only fuels the problem.
· Consult applicable state regulations for additional steps, which may differ from those of HIPAA.
Post your official notice of privacy practices. It’s a HIPPA requirement and it’s a good marketing tool for your office.