OCR HIPAA Breach Guidance, 2017

HIPAA breach guidanceOCR has recently reinforced guidance for health care professionals on proper protocols to follow in the event of a HIPAA breach. The guidance coming from the body of HHS responsible for enforcing HIPAA compliance gives insight into HIPAA investigations and data breaches that have occurred in the past year based on recent upticks in ransomware incidents across the country.

But what can behavioral health professionals do to protect their sensitive health care data? The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has created a set of protocols that you can follow to ensure that your data breach doesn’t turn into a full scale HIPAA investigation. Below, we take a look at some of the key takeaways that you can use to inform your compliance and security work.

Protecting your practice with HIPAA compliance and security is critical to keeping your practice out of the headlines, especially now that HIPAA fines for 2017 have reached up to $17.1 million in total. 2017 is set to outpace 2016’s record-breaking $24 million, should the trends in enforcement continue.

What to Do When You Have a Data Breach

Here are some of OCR’s tips that you can leverage to protect your practice:

  • A practice that has experienced a breach must execute its response and mitigation procedures as well as emergency contingency plans. The entity should fix technical and other problems in order to stop the attack and take steps to mitigate impermissible disclosures of protected health information (PHI, which includes demographic information that can be used to identify a patient). Outside vendors may be brought in to offer assistance. 
  • The practice should report the incident to law enforcement agencies including, state or local law enforcement, the FBI, and/or the Secret Service. Any such report should not include PHI unless permitted by the HIPAA Privacy Rule.
  • The practice should report all cyber threat indicators to federal ISAOs (information-sharing and analysis organizations), without disclosing any PHI.
  • The practice must fulfill OCR breach reporting obligations in a timely manner, as outlined in the HIPAA Breach Notification Rule. It is important to note that “OCR presumes all cyber-related security incidents where protected health information as accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach.”

HIPAA Resources

Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.

Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.

With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.

Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!


Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.



Rate this post!

(7 raters, 35 scores, average: 5.00 out of 5)

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.