As health care institutions began storing larger volumes of private health data digitally, the need to protect this sensitive data from loss or theft grew. To address this risk, the U.S. Department of Health and Human Services (HHS) issued HIPAA’s Privacy Rule and Security Rule in August 1996. The Privacy Rule standards address the use and disclosure of individuals’ health information (called “protected health information”) by organizations subject to the Privacy Rule (called “covered entities”) as well as standards for individuals’ privacy rights to understand and control how their health information is used. The Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

Patients’ health information is extremely sensitive and should always be handled with the utmost care. All it takes is a simple misclick or misspelling to send private information to the wrong person. Such a mistake could lead to a lawsuit and/or fines. It’s important to remember that HIPAA protects patients, not covered entities. That’s why it’s critical that your organization has a cyber liability insurance policy to cover any potential data breaches. According to the Ponemon Institute’s Cost of a Data Breach Survey, losses incurred from a data breach can add up, resulting in organizational costs that can quickly escalate to millions of dollars.

If a data breach occurs, you need to be sure to notify the correct authorities, both to protect your organization, but also the owners of the data that was compromised. Here are the groups you must notify:

  1. Your state’s public health department. Failing to do so can result in fines upward of $250,000.
  2. Affected individuals following the discovery of a breach of unsecured protected health information.
  3. Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction.
  4. The Secretary of breaches of unsecured protected health information.

You can never see a data breach coming, but you can always plan for a potential breach. Make sure that if you are a covered entity, you have the safeguards in place to prevent disaster for you and those you serve.