The average cost of a data breach for U.S. health care companies is $6.45 million (or $429 per individual record), surpassing the global all-industry average. The Breach Notification Rule in HIPAA lays out specific criteria for what can legally be considered a breach, what organizations should do if a breach occurs, and what data holders can be held liable for after a breach happens.
While the Breach Notification Rule applies to covered entities, business associates, and other business associate-type companies that fall under HIPAA, the steps to address breaches in this Rule can be considered best practices for any company holding protected health information (PHI).
If your business experiences a breach, you must notify affected individuals, the HHS Secretary, and, in certain situations, even the media. This Rule defines breach as any unauthorized use or sharing of protected health information (PHI) that jeopardizes the security and privacy of a person’s information. This includes information that has been compromised, lost, or stolen as a result of unauthorized access by an employee, a third party, a ransomware attack, or other improper disclosures.
The Rule encourages businesses to utilize certain preventive encryption and destruction techniques on all their devices and software. The rationale is that taking these precautions should render any compromised PHI either unreadable or unusable by an unauthorized person.
It is important to remember that HIPAA is not the only source of law that health tech companies need to comply with. The data privacy landscape is complex and changing constantly. For example, there are applicable federal rules from HHS on interoperability and information blocking practices and from the Federal Trade Commission on consumer protection. Further, every state has its own statutes which specify additional (or more stringent) compliance standards and procedures.
Unsure what your business needs to do to limit your potential liability around handling patient data? Elevation’s data privacy experts are ready to help your company navigate current and emerging data privacy requirements, identify areas of liability and institute safeguards to limit your exposure.
