The EHR Blues: Fears of Adopting EHR – Threat of Data Breach
As the Privacy and Security Officer, one of the biggest fears that the board of directors (BOD) had to move forward with the adoption of the EHR has become a reality. You have just been notified of a recently discovered data breach that impacted your employer that represented ten (10) hospitals along the North East coast. You are responsible for creating a breach notification letter. This letter will be sent to patients whose Protected Health Information (PHI) has been compromised in the breach. According to federal regulations, the breach notification letter must contain five (5) required elements addressed in a customized manner according to the situational circumstances and consisting of:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of unsecured PHI involved in the breach (i.e., full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code).
- Any steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the organization is doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information which shall include a toll-free telephone number, an e-mail address, Website, or postal address If appropriate. The organization may include other customized information, including:
- Information about steps the organization is taking to prevent future similar breaches.
- Information about sanctions the organization imposed on workforce members involved in the breach.
- Consumer advice directing the individual to review account statements and monitor credit reports.
- Recommendations that the individuals place a fraud alert on their credit card accounts, or contact a credit bureau to obtain credit monitoring services, if appropriate.
- Contact information for credit reporting agencies, including the information needed for reports for criminal investigation and law enforcement.
- Contact information for national consumer reporting agencies.
Create a letter that incorporates the above five required elements including the six subcategories of information listed under item #5.
Using the actual breach case of the Affinity Health Plan in 2013 (https://www.databreaches.net/affinity-health-plan-notifies-over-409000-of-breach/) or research a healthcare data breach that occurred within the past ten years to better assist you in understanding the true impact of a healthcare data breach and efforts made to respond and prevent future occurrences. You will need to make up the specifics about your health care organization (email address, website, phone number, addressâ€¦) but use the case for specifics about the breach event.