Medical and other health information is private and should be protected by all healthcare Institutions. Civil Rights and Federal Laws have been established to protect the rights over health information; and sets rules and limits on who can look, receive and share individuals’ health information. These rights and rules apply to all forms of health information – electronic, oral or written.
The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information.
The HIPAA Security Rule – Sets a national standards for the security of electronic protected health information.
The Patient Safety Rule – Protects identifiable information being used to analyze patient safety events and improve patient safety confidentially.
The HIPAA Breach Notification Rule – Requires covered entities and business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers.
Health Information Is Private And Protected By Federal Law, but what happens when there are data breaches?
Following a breach of unsecured protected health information, healthcare entities must provide notification of the breach to affected individuals, the Secretary, and to the media. In addition, business associates must notify the institution if a breach occurs at or by the business associate.
All data breaches affecting more than 500 patients have to be disclosed to the government on the U.S. Department of Health & Human Services website.
After investigation, federal fines are probable and costly.
A digital marketer of Datapipe.com, David Vogel, released an article in January 7, 2014 the Top 10 HIPAA Data Breaches of 2013 . Entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Typically, a notification of a data breach is given through a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.