The April 2009 issue of Baseline magazine has an article by Corinne Bernstein entitled: “The Cost of Data Breaches,” which is available online at www.baselinemag.com. We recommended that covered entities and business associates review this article, based on a Ponemon Institute study of incidents and costs incurred at 43 organizations in 17 industry sectors. Here are several highlights:
» “Lost business accounted for nearly 70 percent of a data breach in 2008.
» “[S]ectors suffering the highest customer losses were health care…and financial services.
» “The biggest cause of breaches…is insider negligence…88% of all cases in 2008.
» “The number of breaches involving third-party organizations continues to climb.”
The article concludes with the following quotation:
“‘Organizations are getting better at detecting breaches,’ says the institute’s Larry Ponemon. ‘But to reduce the incidence of data breaches, they need to use better security technologies, such as encryption and identity access management, and they must provide more training to their employees.'”
The HITECH Act, signed into law by President Obama on February 17, 2009, as part of the American Recovery and Reinvestment Act, has a new definition of “breach” and requires business associates of covered entities to comply fully with the HIPAA Administrative Simplification Security Rule beginning February 17, 2010. The new definition of breach follows and the Security Rule is available on the HIPAA.com Web site. If you are a healthcare covered entity or business associate, you need to read and understand this April 2009 Baseline magazine article. A data breach will cost an affected organization big dollars, customer losses, and maybe the business as well.
HITECH Act Definition of
(1) Breach
(A) In General. The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
(B) Exceptions. The term ‘breach’ does not include-
(i) Any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if-
(I) Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
(II) Such information is not further acquired, accessed, used, or disclosed by any person; or
(ii) Any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
(iii) Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.