Back to Breach Response

Healthcare Data Breach Response

Have a breach of PHI? Rely on our AHA-endorsed breach response services for healthcare 

Every data breach is unique, but data breaches involving protected health information (PHI) are especially complex. The type of data, the health risks to affected individuals, and the chokehold of regulations—together, these factors escalate “typical” data breach risks to new levels. Our goal at ID Experts® is to simplify these complexities, and thus reduce the risks to healthcare organizations and their patients.

When planning a breach response, healthcare organizations—covered entities and business associates—must take into account the very real dangers of compromised PHI to an individual’s health. Polluted medical records, a result of breached PHI, can result in medical identity theft, prescription errors, misdiagnoses, and even mistreatment.

Rules and regulations: HIPAA, the HITECH Act, and the Final Rule

Because of these risks, the regulations for protecting healthcare information are extensive, strict, and specific. The Health Insurance Portability and Accountability Act (HIPAA) imposes specific Privacy, Security, and Breach Notification Rules to protect PHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act sought to streamline healthcare and reduce costs through the use of health information technology.

The most recent—and most relevant—is the HIPAA Final Rule (also referred to as the HIPAA Omnibus Rule) which, among other things, expands the definition of who is subject to HIPAA regulations. This rule and others were written by and are enforceable by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The Final Rule modifies breach notification regulations: It replaces the prior “harm threshold” standard for determining if a security or privacy incident is a reportable breach with a new compromise standard. The new standard includes four factors, which are the basis of an incident risk assessment. The burden of proof, of course, still remains with the healthcare organization and not the regulatory authorities.

In addition, 47 states have their own breach notification regulations. Achieving regulatory compliance and avoiding costly fines and lawsuits—and protecting patients’ financial, medical, and reputational health—has never been more complex.

Learn how the HIPAA Final Rule affects your covered entity or business associate.

Download our whitepaper

Nobody knows healthcare data breaches better than ID Experts

  • RADAR, our award-winning, patented software for managing incident response. It is Final-Rule compliant and updated with the latest breach notification laws, including state laws. It provides the consistent, defensible, and repeatable method for incident risk assessments that the law requires. RADAR also expedites reporting to the U.S. Department of Health and Human Services (HHS), if required.
  • Customized, compliant notification. We can tailor notification to meet the special needs of your patients, be they disabled, elderly, minors, or non-English speaking. These include notification letters and tracking, call-center services, and websites.
  • Regulatory reporting and crisis communications. We’ll notify HHS, state Attorneys General, and other regulatory bodies on your behalf within the appropriate timelines. Our crisis communications include public relations, to ensure a consistent message across all media outlets.
  • Patient-focused identity monitoring and protection solutions. From our actionable Healthcare Identity Protection Toolkit™, to medical identity monitoring to our 100% identity recovery success rate, our services are patient-focused, and aid your healthcare organization in maintaining goodwill, reducing the likelihood of lawsuits, and ensuring compliance.
  • MIDAS™—Medical Identity Alert System—helps reduce healthcare fraud (and data breaches) by engaging health plan members to monitor their healthcare transactions and take control of their medical identities. It also ensures compliance with key components of the Affordable Care Act (ACA).