Second Example of Compliance
Second example of compliance
As for the second compliance example, the Department of Health and Human Services (HHS) issued an interim final rule concerning procedures and notification of breaches of unsecured PHI under the Health Insurance Portability and Accountability Act (HIPAA). For breaches that were discovered on or after September 23, 2009, the new rule depicts the process for notifying victims of the breach and also expands the accountability of a data leak to include business associates of the entity holding the PHI.
The rule also clearly specifies what constitutes "protected PHI." In these cases, notification to the affected party is not necessary. If the PHI is encrypted per the guidelines of the National Institute of Standards and Technology (NIST), then notification is not required. If, however, your PHI is unprotected, then the following three actions must occur:
Action No. 1: Within 60 days of the discovery, affected parties must be notified of the breach in clearly understandable language. Furthermore, prominent media must be contacted when over 500 are affected.
Action No. 2: The notification must explain the specifics of what occurred: what type of PHI was leaked and the steps that individuals can take to protect themselves.
Action No. 3: The responsible party must specify the steps they are taking to avoid harm to the individual affected such as contact procedures and information for those needing help.