How to Avoid Unnecessary Breach Reporting
Healthcare organizations need to diligently assess whether a security incident involving patient information truly qualifies as a reportable breach under HIPAA to avoid needlessly reporting it to federal regulators, says regulatory attorney Helen Oscislawski.
"I want organizations to know that when you come across an incident, you need to take a look at the facts and circumstances and keep in mind that ... reporting and notification is only legally required when there is more than a low probability that the protected health information has been compromised," she says in an interview with Information Security Media Group.
"Whether PHI has been compromised is yet another legal standard requiring the evaluation of four factors that the Department of Health and Human Services laid out in the [HIPAA breach notification] rule," she notes.
"The consequences of not going through all that thorough analysis is...