webinarshipaa-ecommerce-guidelines-and-resources-part-12-reporting-hipaa-violations President and CEO at Clarity Ventures Chris Reddick and Vice-President of Sales and Marketing Ron Halversen discuss the importance of self-reporting any data breaches that occur. Part 12 of a 13-part series (Return to Part 11) RON: For submitting the notice to the breach to the Secretary, we have covered what the covered entities are and we saw [in previous chapters] when we were looking at the enforcement, and we went to the different types of covered entities that they applied to in the different cases, right? So eCommerce healthcare providers and pharmacies and different entities. RON: The covered entity has to notify the Secretary if they discover that a breach of unsecured data has occurred. And they've got a web portal that they've supplied, so they're down here. You can go in here and say, “Hey, if it's affected 500 or more individuals, you need to report this.” And it differs. So it says a covered entity’s HIPAA breach notification obligations differ based on whether the breach affects 500 or more, or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, then you should provide an estimate.” [As a hypothetical, let’s say we are a doctor’s office and we] worked with a vendor. We were going to have them do an integration with our EMR EHR, and we inadvertently gave them administrative access to the EMR so they could see all of our patients. Now, they were working with theoretically when we do integrations with EMR, we don't necessarily get any access to the EMR because we're gained access to the API, right? So we're not in the EMR. We don't have rights to log in to the EMR. We don't have direct access to the EMR. We only have access to the API. So you have to be very careful in working with third parties. But anyway, the first one just talks about even if you suspect a breach, it's better to stay ahead of it. So your security officer should go ahead and estimate. Did the breach occur on more than 500 individuals data or less than and submit it accordingly? RON: If it's affecting more, a covered entity must notify the breach without an unreasonable delay and in no case later than 60 calendar days. So if you figure it out and find out about it, it's like, “Hey, I just found out about it today. This problem's existed for years because it's built into our software and we didn't know this, but we found out about the breach today.” The clock starts right then and you have 60 days from the discovery of that breach to notify. And if you don't, that's probably when you're going to get in bigger trouble. CHRIS: And Ron, when you click on "View a list of breaches affecting 500 or more” and open a new tab just so we can look at that. I just want folks to understand this is happening all the time, that there are folks reporting these and you can look at the type of breach and you'll see most of these are hacking IT. RON: Here's a laptop was lost, but hacking emails or hacking servers is the big one. Or here's a lost laptop and the theft of a portable electronic device. And many, many, many of them have been done. It's just page after page after page after page. And if you look up here, look at the number of individuals affected, 100,000, 20,000, hundreds of thousands. And I haven't read a lot about the penalties here, but I remember a lot of the credit card penalties and some of the other penalties. The last one that I read was fine. It was like $210 per record that was lost. So per credit card number that was lost, and it ended up being like 100 million. And I think that was Target. So I think it was roughly about 100 million credit card numbers and they were fined $210 per record. So it ended up being, I think, $210 million. You can see here by sheer numbers—Chris was talking about how big the penalties can get. This is the reason why when you start getting into these hospitals and HIPAA eCommerce businesses. For example, healthcare providers, there's a quarter million records that theoretically were hacked. And each of those records have numerous pieces of data. So however they count data, do they count it only per patient? That's 258,000 assessments of the penalty. Or do they have different records. and there were different violations based on the different records. So there are multiple penalties per record which could also take place. Is there anything else you wanted to cover here on HIPAA best practices for notification? I mean, so these are just the submissions, right? Continue to Part 13 to find a HIPAA developer.
President and CEO at Clarity Ventures Chris Reddick and Vice-President of Sales and Marketing Ron Halversen discuss the importance of self-reporting any data breaches that occur. Part 12 of a 13-part series (Return to Part 11)