New rules have finalized the Interim Final Rule
on HIPAA Breach Notification, but there has
been an important change in how to determine
whether or not a breach is reportable.
Old policies and processes must be replaced
with an updated process meeting the new rule’s
requirements no later than September 23, 2013.
HIPAA entities will need to follow the new rules
or risk substantial fines and penalties, including
multi-year corrective action plans.
HIPAA Breach Notification rules require
notification of individuals and HHS when
information security is breached, and the rules
for determining what to report have changed.
The HIPAA Breach Notification Rule required by
the HITECH Act within the American Recovery
and Reinvestment Act of 2009 requires all HIPAA
covered entities and business associates to
follow a number of steps to be in compliance.
If there is a breach of protected health
information that does not meet one of the
strictly defined exceptions or has greater than a
“low risk of compromise,” the breach must be
reported to the individual, and all such breaches
must be reported to the Secretary of the US
Department of Health and Human Services at
There are additional steps to take if the breach
affects more than 500 individuals, including
media notices and immediate notification of
For every potential breach of PHI, the entity will
have to determine if the information breached
meets an exception,
or perform a risk assessment considering what
the information was, who received it, whether it
was actually viewed, and whether or not it was
destroyed, and take action to notify the affected
individuals if there is greater than a “low
probability of compromise.”
Entities must adopt a breach notification policy
and procedures to ensure accurate reporting and
documentation of breaches, and must take steps
to protect information from breaches by using
encryption and proper disposal methods
meeting Federal standards.
Entities must follow the standards and
specifications of the HIPAA Security Rule to
protect information from breaches and
must negotiate new Business Associate
Agreements to include liability for breach
notification and requirements for timely
reporting to the entity.
On top of all this, the landscape of information
security threats and breaches is changing
dramatically, requiring new kinds of security
efforts and consistent application of old
safeguards to protect patient information.
What used to be "good enough" is no longer
sufficient to properly protect PHI.
The HIPAA Breach Notification Rule has been in
effect since September 23, 2009 and many
organizations are not prepared to respond to a
breach of PHI and report and document it
We will discuss the origins of the rule and how it
works, including interactions with other HIPAA
rules and penalties for violations.
HIPAA Covered Entities and Business Associates
need to know where and what information they
have, so they can know if there has been a
breach, and figure out how serious a breach may
be and whom to notify if there is a chance of
Entities can avoid notification if information has
been encrypted according to Federal
standards. We’ll talk about what information
needs to be encrypted the most and how
entities are doing it.
We will cover the guidance from the US
Department of Health and Human Services that
shows how to encrypt so as to prevent the need
for notification in the event of lost data.
Online compliance Training & webinar on HIPAA
2 - What Needs to Change in Policies and
Procedures will discuss how to create the right
breach notification policy for your organization
and how to follow through when an incident
In addition, a policy framework to help establish
good security practices is presented.
We will cover the essentials of information
security methods you can use to keep breaches
from happening, and be in compliance with the
HIPAA Security Rule as well. We'll also discuss
the new penalties for non-compliance, including
mandatory penalties for "wilful neglect" that
begin at $10,000.
We will help you understand what isn’t a breach
and under what circumstances you don’t have to
consider breach notification.
You’ll find out how to report the smaller
breaches (less than 500 individuals), as required,
within 60 days of the end of each year and you’ll
know why you want to avoid a breach involving
more than 500 individuals – media notices, Web
site notices, and immediate notification of HHS,
including posting on the HHS breach notification
“wall of shame” on the Web.
16. We will explain, based on historical analysis of
reported breaches, what measures must be
taken today to protect information from the
most common threats, as well as discuss
information security trends and explain what
kinds of efforts will need to be undertaken in the
future to protect the security of PHI.
 We will discuss the kinds of threats that exist for
PHI and how they're changing as the hackers
gain experience and abilities.
17. Breach Notification Laws
 State Breach Notification Laws
 Changes to HIPAA
 Federal Breach Notification Law and Regulation
 The Who, What, and How of Breach Notification
18. Preventing and Preparing for Breaches
 Using an Information Security Management
 Using Risk Analysis and Risk Assessment
 Most Common Types of Breaches
 Information Security, Incident, and Breach
 The Importance of Documentation
19. Enforcement and Audits
 New HIPAA Violation Categories and Penalties
 Preparing for HIPAA Audits
 Case Studies
20. Future Trends and New Threats to Prepare For
 History vs. the Future
 Why Attack Trends Are Changing
 Implications of New Directions in Attacks and
Information Systems Manager
Chief Information Officer
Health Information Manager
22. Thank you
Complianz World is a US based company, and a
leading GRC training provider has announced
Webinar or Online Training on
HIPAA 2 - What Needs to Change in Policies and