Assessing PHI Incidents
Privacy or security incidents involving protected health information (PHI) are complex—often more so than incidents involving other data types. The health risks to affected individuals if their PHI is compromised have resulted in a complex, sometimes conflicting, web of regulations.
RADAR® is an award-winning software that simplifies the complexities of incident response management for HIPAA covered entities and business associates, to help ensure regulatory compliance and reduce data breach risks for these healthcare organizations and their patients.
State and federal breach notification laws—a chokehold of regulations
The regulations for safeguarding PHI are extensive, strict, and specific. On the federal level is the HIPAA Final Rule (also referred to as the HIPAA Omnibus Rule), based on the HITECH (Health Information Technology for Economic and Clinical Health) Act, that is enforceable by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
The HIPAA Final Rule modifies breach notification regulations. It replaces the Interim Final Rule's “harm threshold” standard as the basis for determining if a security or privacy incident is a reportable breach with a new "compromise" standard. This new standard includes four factors, which are the basis of a required incident risk assessment. The burden of proof, as always, rests with the healthcare organization.
In addition, 47 states have their own breach notification regulations. Achieving regulatory compliance and avoiding costly fines and lawsuits—and protecting patients’ financial, medical, and reputational health—has never been more complex.
Rely on RADAR for compliant, efficient incident response management
RADAR has helped numerous healthcare covered entities and their business associates successfully manage their response to privacy or security incidents involving PHI. RADAR provides:
- Breach guidance using the latest breach notification laws, including the HIPAA Final Rule and state laws.
- A consistent, defensible, and repeatable method for incident risk assessments as required by law.
- Expedited reporting to HHS.
- “Burden of proof” for OCR auditors and other regulators.
- Collaborative workflow and recommended actions for a compliant response.