The interim final breach notification rule, now in effect, requires Covered Entities to report breaches to federal authorities as well as those affected. With the number of breaches growing on the HHS “Wall of Shame”, and over 3% of the American public having Protected Health Information impermissably disclosed, organizations are now focusing their efforts on preventing breaches. We’ve encouraged you to work on your plan … now! Many of you asked: What are the biggest gaps Covered Entities are exhibiting?Of course, the gaps vary by size, sophistication and type of organization. Let me place them in three buckets:
- The Unaware / Misinformed – At the sad extreme, there are many organizations that are not even aware of their obligations OR are under the mistaken perception that, as an Interim Final Rule, Breach Notification does not have the force of law – it does.
- The Pre-Breach Unprepared – On a pre-breach basis, the single biggest mistakes fall into the category of simply failing to take basic preventative steps. The classic example is the failure to complete a risk analysis to identify exposures and prioritize risk mitigation actions. In this domain, the specific and ridiculous example of failure to implement basic controls is illustrated by the number of preventable breaches that appear on the HHS Breach ‘Wall of Shame’. Think “secure it or destroy it”.
- The Post-Breach Unprepared – post-breach, there are many organizations that are totally unprepared to “scale” to address the size of breach; they fail on the organization’s capacity and expertise to handle. Taking calls for billing and customer service is not the same skill as handling ID Theft calls from irate patients or plan members.
- Read more on HealthInfoSecurity.com: Data Breach Planning Notification Tips – How to Avoid Creating Unnecessary Risk …
- Download the 15-minute Podcast
- Join our new AboutHIPAA LinkedIn Group – http://abouthipaali.org/
See our list of upcoming live webinars, or check out our on-demand webinars with resources you may have missed.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017