How to Develop a HIPAA Incident Response Team

Covered entities and business associates are required to identify and report breaches of unsecured protected health information (“PHI”) and security incidents. “Breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Laws which compromises the security or privacy of the PHI, and is not one of the breach exclusions.1 Breach applies to both paper and electronic PHI. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI (“EPHI”) or interference with the entity’s system operations in its information system.2 The Federal Office for Civil Rights (“OCR”) has recommended that covered entities and business associates have incident response teams capable of identifying and handling breaches and security incidents.3 Incident response plans and policies should be developed, reviewed annually, and approved by management….hipaaincidentresponseteam

Healthcare Data Breach Enforcements and Fines At A Glance (2015)

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005 . . .Healthcare DB_Enforcements_At A Glance


Healthcare Breach Litigation At A Glance (2015)

Companies that have a breach involving protected health information (“PHI”) worry not only about fines and penalties imposed by the Department of Health and Human Services (“HHS”), but about class action lawsuits.   The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood . . .

Healthcare DB_Litigation_At A Glance_1

State Level Enforcement and Fines for Health Data Breaches At A Glance (2015)

It does not appear that enforcing HIPAA’s data breach notification requirements is a priority for most AGs, due to the low number of actions brought under the statute. Connecticut, Vermont, Minnesota, and Indiana have each brought one action. Massachusetts is the only state that has brought more than one action . . .Healthcare DB_State_Fines_At A Glance


The Causes of Healthcare Breaches At A Glance (2015)

The data collected by HHS concerning breaches shows that low-tech breaches remain the most common form of data loss in the health sector – surpassing the more publicized hacking events.  Almost 40% of breaches still relate to the theft of hardware . . .