How Data Breach Notification Laws Impact Security

In today’s world, data can be almost as valuable as money.

Hackers would do anything to get their hands on your social security number, address, or bank account numbers. Both businesses and individuals saw a record amount of security breaches in 2016, and that number is projected to grow exponentially.

If you work in the medical field, you don’t have to be told how important confidentiality is.

Patients don’t just trust doctors with their personal medical history and other information, they’re also trusting nurses, lab workers, and other medical staff. The threat of security and data breaches in the healthcare industry has grown, and people need to be prepared to deal with them.

Data breach notification laws have been drafted to help protect both businesses and people when sensitive information is leaked. If your practice isn’t compliant with them you could find yourself in a lot of legal trouble.

What are Data Breach Notification Laws?

Federal HIPAA breach notification laws require notification of patients within 60 days. But state laws, where the timelines are shorter, supersede the federal law. Data breach notification laws were first enacted at the state level in 2002. California was the first state to pass one.

These laws require entities that handle sensitive data notify customers and other important parties in case a data breach occurs. Both private and government entities are subject to the law.

Each state has different laws about how and when people affected by the breach should be notified. Some may require that people are notified by a certified letter and others are fine with an e-mail or a phone call. States like New Mexico would want people notified within 45 days of the breach, others may require 30.

Few people would want to tell their patients that their confidential records have been leaked. The simplest way to ensure that you don’t have this unpleasant conversation is to avoid security breaches.

Unfortunately, even large hospitals and practices can be affected by leaks.

A Case of Bad Security

Let’s take some time and examine a case where two well-known hospitals experienced a data breach and how it affected them.

In 2014, New York and Presbyterian Hospital and Columbia University reached a settlement with the Office of Civil Rights with the U.S. Department of Health and Human Services. They were ordered to pay $4.8 million because of a data breach.

The breach in question was massive. It’s estimated that 6,800 patient records were exposed. The investigation began nearly four years before the 2014 settlement when someone filed a complaint because they were able to find a deceased loved one’s medical records online.

Soon after, a physician employed by both hospitals tried to access confidential records on their personal computer.

Because of data breach notification laws, New York and Presbyterian Hospital and Columbia University had to go through a massive effort to notify their patients about the breach.

They also had to deal with negative attention from the press. Both places were found at fault because neither had placed technical safeguards in place to protect important data.

Obviously, data breaches can be very costly for hospitals, doctors offices, and other medical practices. Violating HIPPA law can cost thousands or even millions of dollars in fines. That’s why it’s important for everyone working in the medical field to be familiar with the latest data breach notification laws and proper security practices.

Data Breach Security Laws In Health Care

If you want to learn about cyber security laws for health care, go straight to the source. The U.S. Department of Health and Human Services breaks down exactly how HIPPA affects security laws.

When it comes to protecting electronic health patient information (EHPI), there are four main things you must do:

  1. Identify and protect against anticipated threats to the security or integrity of the information.
  2. Protect against reasonably anticipated, unauthorized uses or disclosures.
  3. Ensure the integrity, availability, and confidentiality of all patient health information that is created, received, maintained or transmitted.
  4. Make sure that employees comply with security standards.

In simpler terms, unauthorized people shouldn’t have access to any patient records, and medical practices need to do whatever they can to keep confidential information safe.

New York and Presbyterian Hospital and Columbia University had to pay large fines because proper security measures weren’t in place. If they had been more proactive in strengthening their security practices, the entire scandal wouldn’t have happened.

Improving security to be compliant

You may not be able to predict when or if a breach or cyber-attack will occur, but there are things you can do to improve data security.

Perform a Risk Assessment

A risk assessment for potential security breaches is essential for any health care office. This can include determining the likelihood and impact of a security breach. In fact, not only is it essential, it became a legal requirement when the Omnibus Rule became effective in March of 2013.

It can also help with implementing security measures to ensure that breaches don’t occur, and documenting what needs to be done to protect EHPI.

It’s important to note that a risk assessment isn’t a one-time activity. This should be done periodically. It will ensure that you’re doing what you can to protect important data.

Limit electronic access to patient data

With today’s software solutions, you can put safeguards in place to ensure that the right people see certain kinds of information. Consider implementing role-based access for your medical records. Generally speaking, access should be provided based upon the minimum access required for a workforce member or vendor to complete their requited duties.

You can give certain members of your office or practice different tiers of access to patient data. Nurses and lab associates may only be able to enter in vitals and other important information in patient records, while doctors could have access to everything.

Limit physical access to patient data

Do you have servers with patient data or paper records at your office? Are there certain computers or devices that contain patient data?

Any and all data needs to be protected, and rooms with physical records or servers shouldn’t be easy to access. At the very least, these rooms should be locked at all times to ensure that the information in them is kept safe.

Have proper security help

You may have an IT department, but do you have someone that’s solely dedicated to EHPI security? An IT specialists that’s an expert in protecting patient data and EHPI security can help protect your practice.

A specialist will be up to date on the latest security practices being used in the industry. Having someone dedicated to EHPI security also shows that you took reasonable measures to protect data.

Wrapping up

Data security and HIPPA compliance should be a top priority for anybody working in the health care. If you want to learn how to be compliant and protect EHPI, contact us so we can find out what’s best for your needs.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top