• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Pay attention to HITECH Act Definition of Breach: Lost Customers Big Cost Factor

April 16, 2009 Health IT and HITECH No Comments

The April 2009 issue of Baseline  magazine has an article by Corinne Bernstein entitled: “The Cost of Data Breaches,” which is available online at www.baselinemag.com. We recommended that covered entities and business associates review this article, based on a Ponemon Institute study of incidents and costs incurred at 43 organizations in 17 industry sectors. Here are several highlights:

» “Lost business accounted for nearly 70 percent of a data breach in 2008.
» “[S]ectors suffering the highest customer losses were health care…and financial services.
» “The biggest cause of breaches…is insider negligence…88% of all cases in 2008.
» “The number of breaches involving third-party organizations continues to climb.”

The article concludes with the following quotation:

“‘Organizations are getting better at detecting breaches,’ says the institute’s Larry Ponemon. ‘But to reduce the incidence of data breaches, they need to use better security technologies, such as encryption and identity access management, and they must provide more training to their employees.'”

The HITECH Act, signed into law by President Obama on February 17, 2009, as part of the American Recovery and Reinvestment Act, has a new definition of “breach” and requires business associates of covered entities to comply fully with the HIPAA Administrative Simplification Security Rule beginning February 17, 2010. The new definition of breach follows and the Security Rule is available on the HIPAA.com Web site. If you are a healthcare covered entity or business associate, you need to read and understand this April 2009 Baseline magazine article. A data breach will cost an affected organization big dollars, customer losses, and maybe the business as well.

HITECH Act Definition of

(1)  Breach

(A) In General. The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) Exceptions. The term ‘breach’ does not include-

(i) Any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if-

(I) Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and

(II) Such information is not further acquired, accessed, used, or disclosed by any person; or

(ii) Any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and

(iii) Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

Tags: 2010American Recovery and Reinvestment ActBaselinebreachCorinne Bernsteincost factorFebruary 17HIPAA Administrative SimplificationHITECH Actinsider negligencelost businessPonemon InstitutePresident ObamaSecurity Rule
No Comments
Share
0

You also might be interested in

Don’t Overthink HIPAA Privacy Rules

Don’t Overthink HIPAA Privacy Rules

Oct 11, 2013

Ever since HIPAA Privacy Rules became finalized law in 2003,[...]

Physical Safeguard Standard, Device and Media Controls: Data Backup and Storage Implementation Specification-What to Do and How to Do It

May 22, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

HHS Issues Interim Final Rule for HITECH ‘Breach Notification’

Aug 21, 2009

U.S. Department of Health and Human Services Secretary, Kathleen Sebelius,[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next