Understanding a HIPAA requirement is fighting only half the battle -- to prevent the significant negative impacts of security breaches, you need to know about the various breach laws and HIPAA regulations. Read this article for more.
Breach Notification laws: Legislation has (it adapted in) 44 states right now and there is a web address for the National Conference of State Legislatures and they have a list of what the various breach laws are so you can look up for your own particular state. But also the new Economic Stimulus Act, Title 13, which is known as the HITECH stands for Health Information Technology something rather, whatever that - they came out with the HITECH acronym for it.
But Title 13, Subtitle D, there are some sections in there that have to do with breach notification. So there are going to be some HIPAA regulations coming as to how you're supposed to handle breach notification. And this has to do with health information.
So if you lose a laptop that has health information, the state laws usually refer to things such as social security numbers and the driver's license numbers and things like that, which you may not necessarily have in your health information. Whereas the federal law covers all kinds of health information and they have a couple of sections that touch on that.
So be on the lookout for that. Some of the state laws have been modified to include extra things as such as the Minnesota Law requires merchants to be in compliance with the PCI rules.
The PCI rules are really just part of the contract between you and your credit card vendor but now Minnesota Law says, “That is actually a state law for us.” So you need to be incompliance with PCI if you're a merchant in Minnesota. And also if there's a breach you have to pay the cost and losses due to those breaches.
California Law, and there's a Delaware and a few others also have this included in their breach notification laws but California Law as of January 2008, includes medical and health insurance information. So that one already covers the kind of things that are in the federal law now but not all state laws include that.
Now as far as responding to breach notification laws, you have to get together with the others who manage personal information, know where your information is. And make sure people are trained in the proper policies and procedures and have the good policies and procedures in place so you can know when a HIPAA breach actually occurs. That's another one that sent me to a lot of these organizations and they discover, “Oh, gosh, we’ve been breached and it has been going on for months.”
That's a bad thing, you know, by the time that happens, you have a very hard time figuring out what information may have gone out the door. But you want to make sure you have policies and procedures in place to follow in the event of a breach and know how to identify the right people and notify them. And you want to conduct some drills on how to respond to a HIPAA breach if you haven't had one before. It can be a real surprise as to how to deal with that.
Sidestep HIPAA breaches with expert training on HIPAA rules and regulations with AudioEducator.