The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) demands covered entities and business associates to give notices to the HHS’ Office for Civil Rights (OCR) regarding data breaches and healthcare companies are furthermore directed to abide by state data breach notification regulations.
A lot of states have launched their own data privacy regulations, which usually demand the sending of notifications to the proper state Attorneys General in case a data breach surpasses a specific limit. States are permitted by law to bring civil actions against healthcare companies that fall short to send breach notifications as required by both HIPAA and state rules. In California, the restriction for reporting breaches is consistent with HIPAA. In case a data breach is encountered that affects 500 and up California citizens, the California Department of Justice (DOJ) should be informed.
A short while ago, there were a number of occasions where the California DOJ was not advised concerning ransomware attacks on California healthcare establishments, even if the personal and protected health information (PHI) of California locals has possibly been exposed during an attack.
California Attorney General Rob Bonta has lately given a bulletin instructing all entities that keep the confidential health-linked data of California citizens of their accountabilities to report data breaches as required by the California law (Civil Code section 1798.82). When there is a breach of the health information of 500 or higher California residents, it is required to send a breach report to the Office of the Attorney General. After that, California DOJ publishes the breach announcement on its web page to make sure the general population is aware of the breach to permit victims to take proper action to secure themselves against identity theft and fraud. Personal notices should additionally be given to impacted people.
Timely breach notice helps impacted people offset the possible losses that might occur because of the bogus use of their personal data acquired from a breach of health information. Consequently, it is essential for providers of health care to be proactive and cautious regarding decreasing their risk for ransomware attacks and to fulfill their health data breach notification responsibilities to safeguard the public.
In the bulletin, Attorney General Bonta additionally advised healthcare companies to take proactive actions to safeguard patient records against ransomware attacks.
State and federal health data privacy frameworks, such as the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), require healthcare entities and companies that deal with health information to determine suitable processes to make certain the privacy of health-related details, such as security measures that could help avoid the infection of malware, like ransomware, to secure consumers’ healthcare-associated data from unauthorized use and disclosure.
Healthcare institutions are urged to take the listed proactive measures:
- Update operating systems and software keeping health information
- Use security patches immediately
- Set up and keep antivirus software updated
- Provide regular data security training to workers, which include instruction concerning phishing attacks
- Limit users when downloading, installing, and running uncertified software programs
- Maintain and routinely check the data backup and recovery program for all critical data