This document provides guidelines for notifying individuals of a data breach under HIPAA and HITECH regulations. It outlines three steps: 1) determine the level of harm caused by assessing what data was exposed, 2) document the data exposure and harm level, and 3) notify affected individuals and regulatory agencies as required, consulting legal counsel. Notification requirements depend on the type of data lost and level of harm, such as reputational, financial, or other harm.

1. HIPAA And HITECH Data Breach Guidelines
When And How To Notify
In September 2009 the new HITECH laws went into e ect, and there has been much discussion
about what this new legislation means for HIPAA covered entities and business associates. In a
nutshell, it means every breach must be evaluated and documented.
What Steps Do I Need to Take?
STEP ONE: One of the rst questions the organization should try to answer is: “What was the level
of harm caused by the data breach exposure. “
In determining the potential for harm it is important to ask some additionally questions like: Was
the data encrypted? What data (PHI, PII, etc.) was included in the breach? Was the data only
exposed to another business unit in the hospital, and if so, was a con rmation received the infor-
mation was destroyed? Could this exposed information pose any harm to the patient or consumer?
The guidelines indicate that there are three categories of harm that can potentially require
consumer noti cation:
(1) Financial Harm
(2) Reputational Harm
(3) ”Other” Harm
Financial harm is often de ned as information that can lead to the nancial harm of the consumer,
such as a breach of a consumer’s social security number. Reputational harm is often de ned as the
exposure of consumer health information that can lead to reputational harm of a consumer, such
as the accidental release of a consumer’s health history. The de nition of “Other Harm” has been the
subject of much discussion. Most industry leaders believe “other harm” to mean an exposure that
did not include information such as a social security number or personal health information, but an
exposure that may include date of birth, name, address and insurance information. This information
could be just as valuable to a thief who could then use that information to receive medical treat-
ment using the patient’s insurance information.
STEP TWO: Document the details of the data exposure and include in that documentation what
level of harm you have determined and why you have assigned that level of harm.
STEP THREE: If it is determined that you need to notify the consumer, your next step will be to
determine who you will notify, how you will notify, and what level of remedy you provide. You
should always consult with your legal counsel as to what level of noti cation is required.
S P E A K W I T H A D E B I X B R E A C H S P E C I A L I S T AT 800-965-7564 O R V I S I T W W W. D E B I X . C O M / B U S I N E S S

2. General Guidelines
• If you have disclosed information to a HIPAA compliant entity or a business associate, and have
been able to ensure the information was not viewed, it has not been stored and you can
con rm it has been destroyed, you usually do not have to notify.
• If the lost information was protected by strong encryption, you usually do not need to notify.
• However, if you do not know the status of the information that has been compromised then in
general you must notify.
• Determine who you need to notify, possibilities may include:
> A ected Consumers
> Department of Health and Human Services (HHS)
> California State Department of Health (If consumers live in California)
> State Attorneys General O ces (if SSN was involved)
> Local newspapers and /or your corporate website (if there are more than 10 consumers
who need to be noti ed and you do not have a valid current address)
To determine the right level of protection to provide along with noti cation, see the chart below:
T YPE OF HARM BASED ON T YPE OF DATA LOST
T Reputational Harm Reputational And/Or Reputational, Financial
Other Harm And/Or Other Harm
Lab Results, Diagnosis, Name, DOB, Address, Insurance Lab Results, Diagnosis, Name,
Treatment, Etc Information (Enough information DOB, Address, Insurance Info,
for thief to commit medical Social Security Number
identity theft)
Debix Solutions
Toll Free Call Center
Support
Noti cation Services:
Consumer noti cation
Regulatory noti ca-
tion (HHS, AGs)
Fully Managed Identity
Restoration Services
Medical
Financial
Employment
Criminal
$1 Million Identity Theft
Insurance Coverage
OnCall Credit Monitoring
(Triple Bureau)
512-751-9992 Jason.howard@debix.com
Jason Howard, Director of SalesSales Manager 512-669-8952 Nicholas.Cramer@debix.com
Nicholas Cramer, Regional
S P E A K W I T H A D E B I X B R E A C H S P E C I A L I S T AT 800-965-7564 O R V I S I T W W W. D E B I X . C O M / B U S I N E S S