California updated its breach notification rules in July 2021 to better explain what state healthcare providers must do after a data breach. HIPAA and state regulations on patient privacy and protection require covered entities and business associates to demonstrate due diligence when it comes to safeguarding protected health information (PHI). Such laws emphasize the importance of protecting personally identifiable information (PII) and PHI for solid patient care.
SEE ALSO: HIPAA compliant email
And this includes reporting all data breaches to officials and affected individuals. Uncompliant healthcare organizations could face investigations, fines, and serious repercussions (e.g., a HIPAA violation). And likely why California clarified its breach notification rules.
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. The U.S. Health and Human Services Office for Civil Rights (OCR) regulates and enforces the act, which consists of five sections (or titles). Most referenced is Title II as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic ( ePHI) form. Understanding and implementing these guidelines is fundamental to avoiding data breaches and HIPAA violations and to properly reporting problems.
RELATED: What to do after you violate HIPAA
The HIPAA Breach Notification Rule (2009) makes it mandatory for healthcare providers to report all PHI breaches. Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation). Fewer than 500 mean logging the incident with OCR within 60 days of year’s end.
At the same time, every state has its laws regarding unsecured data breaches and what/how to report them. The laws within California outline who has access to a patient’s PHI and what can be disclosed. California Health and Safety Code section 1280.15 states that healthcare providers must notify the department and affected individuals no later than 15 days after “unlawful or unauthorized access.” Only law enforcement may request a delay.
SEE ALSO: California breach notification laws sections 1798.29 and 1798.82
However, the original law lacked details, which is why the state provided recent clarification regarding:
Moreover, the modifications further align California law with HIPAA in form and content while still highlighting different deadlines and needs.
The healthcare industry continues to be one of the most heavily targeted by cyberattackers.
RELATED: Why is healthcare a juicy target for cybercrime?
This is why privacy laws and reporting regulations exist. Essentially, there are three main reasons why timely reporting is necessary. First, complying with breach notification laws provides an adequate warning to affected individuals in case they need to monitor their credit. Second, reporting breaches supports agencies and IT specialists who collect information about threat actors and cyberattacks to stop future breaches.
RELATED: U.S. launches one-stop ransomware resource
Finally, compliance helps healthcare organizations avoid federal or state privacy violations that could include hefty fines as well as possible shutdowns.
Following the regulation updates, California Attorney General Bonta released a bulletin reminding healthcare organizations to comply with breach reporting laws. The bulletin also pointed out the benefit of preventing breaches, highlighting five methods:
But most important of all, healthcare providers must use strong email security (i.e., HIPAA compliant email). Our patented HITRUST CSF certified solution Paubox Email Suite uses encryption on all outgoing emails. And these messages can be sent from your existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior.
Moreover, our patent-pending Zero Trust Email feature for Plus and Premium customers adds an AI-powered proof of legitimacy to all inbound emails before they are delivered. U.S. healthcare organizations must properly report breaches not only to protect patients but to also ensure compliance with federal and state laws. At the same time, proactive organizations mitigate risks, violations, fines, and the need to report. No matter what, understanding guidelines and utilizing solid cybersecurity programs is the only way to effectively block cyberattacks.