The Health and Human Services Breach Portal
What you should know to protect yourself
The Health and Human Services (HHS) Breach Portal is an online listing of incidents where personal patient information has been compromised. Main Street Medical has pulled together some important information on what is considered a breach, how to report a breach and most importantly, how to avoid a breach. Sign up to receive the Main Street Medical Consulting Email Newsletter for access to other content you don’t want to miss out on.
What is considered a Breach?
The Health and Human Services defines a breach as, “…generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information”. The Health and Human Services elaborates on this definition by explaining that there are different types and levels of breaches. You can learn more by accessing their page here.
The HITECH Act requires breaches of unsecured PHI affecting 500 or more individuals to be posted on this Breach Portal, or Healthcare wall of shame. There are quite a few different types of breaches that can mandate a report. The most common types of breach are theft of computers, personal devices, network servers, etc. and hacking incidents. Others can include the Improper Disposal of documents, films (Such as X-rays) or IT assets as well as unauthorized access to information or the disclosure to unauthorized parties.
What Happens When a Breach is Detected?
When a breach is detected, the organization responsible is to notify the individuals affected, the secretary of the Health and Human Services offices. In some instances, they explain, the media must also be notified. Individuals should be notified by first class mail, or in cases where these individuals have expressed desire to receive electronic communication, they may be notified via email no later than 60 days after the breach was initially detected. Notifying the secretary of Health and Human Services is a bit easier. They have an electronic form available. If more than 500 individuals in one state are affected by the breach, the entity is responsible for alerting the media to the breach.
Covered entities and their business associates have the “burden of proof”, or must be able to demonstrate that they have taken the required steps to notify the affected individuals that their private information may have been compromised.
How can you help to protect yourself and your organization from appearing on the HHS Breach Portal?
A good place for small practices and organizations to start is this basic security checklist for small healthcare practices. The Department of Health and Human Services also provides a short list of more complex steps that providers and practices can take to safeguard personal and private information, including encryption and other additional layers of electronic security. It is important to remember though that policies and your physical handling of this sensitive information is just as important as the technical security you implement. Your policies and administrative rules or procedures can go a long way towards safeguarding important information.