The Security Scrutinizer with Howard Anderson

Breach Notification: A Status Report

Survey Shows Compliance, Prevention Efforts Lagging

The federal government's official tally of major healthcare information breaches now shows more than 300 incidents affecting almost 11.7 million individuals since September 2009. So what are healthcare organizations doing to prepare for breach notification? And what steps are they taking to prevent breaches from occurring?

Preliminary results of our inaugural Healthcare Information Security Today survey, which is still open for participation, show that only about half of healthcare organizations have a plan in place to comply with the HITECH Act breach notification rule. In addition, about 39 percent rate their ability to counter security threats as poor, failing or in need of improvement. And 25 percent have yet to conduct a detailed risk analysis.

Remember, healthcare organizations are obligated to comply with the interim final breach notification rule, even though it's slated to be replaced by a final version soon. So don't let that "interim final" title fool you. The rule is in effect, and your organization should have a breach notification plan in place to help ensure compliance.

A final version of the rule is expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim final version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.

We'll have to wait and see whether that harm standard is modified or removed from the final version of the rule. Some members of Congress and privacy advocates have called for federal regulators to require that all breaches be reported, not just those with a significant risk of harm. We're hoping that regulators, at the very least, greatly clarify the standard. That could help make compliance easier.

In the meantime, is your organization prepared to notify patients and regulators of a breach if you learn of one tomorrow? And, equally important, are you taking all the necessary steps to prevent breaches?

Participate in Survey

Our ongoing survey is designed to assess organizations' security efforts, including their breach prevention strategies. But time is running out to participate, so don't miss out on this opportunity. By taking a few minutes to fill out the survey, you'll help us provide you with a detailed analysis of the status of healthcare information security, which you can then use to compare your organization's efforts with others and gain insights that you can apply to your security program.

In the weeks ahead, we'll present the final survey results in a variety of ways, including an executive summary, annotated report, interviews and a webinar.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.