HITECH Data Breach Requirements

Previously, covered entities were not mandated to notify patients if a breach of their Individually Identifiable Health Information was disclosed. With the HITECH Act, both covered entities and business associates that hold, use or disclose "unsecured PHI" have a legal duty to notify certain parties in the event of a "breach."

The Definition of "Breach" The term "breach" means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Sec. 13400. Definitions. American Recovery and Reinvestment Act (ARRA) of 2009

As a direct result of the HITECH Act, if a breach occurs, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed. Business associates of covered entities must, after discovery of a breach, notify the covered entity of the breach and let the covered entity know the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed.

A breach is considered to be "discovered" as of the first day on which the breach is known by any member of the workforce. Typically, written notice describing the breach must be made "without unreasonable delay" and it must occur within 60 days of the discovery of the breach.
ecfirst can Address HITECH Data Breach Mandates
To address the policy requirements of the data breach section of the HITECH Act, ecfirst will:

• Develop a tailored Data Breach Discovery Policy
• Develop a tailored Data Breach Notification Policy for patients (clients), HHS and the Media.
• Develop a tailored Data Breach Management Policy
• Work with the Director of Compliance and IT to discover, document, and turn over a Data Breach Technical and Operational Procedure (limited to 1 procedure)
• Identify current capabilities to detect an EPHI Data Breach, document those, and recommend improvements

Provide your staff with a 1 hour training program via Webinar and a PowerPoint presentation for ongoing training about critical data breach requirements and associated policies.

Contact Us
Please contact John Schelewitz at John.Schelewitz@ecfirst.com or at +1.480.663.3225 to learn more about the ecfirst BizShieldTM HITECH Data Breach solutions to address critical compliance mandates. Get started by scheduling a private webcast to discuss the requirements of the HITECH Act for data breach discovery, notification and more.

Talk to us - you will find us to be a partner you can trust.

About ecfirst
ecfirst delivers world-class information security and regulatory compliance solutions. With over 1,400+ clients, ecfirst was recognized as an Inc. 500 business - America's Top 500 Fastest Growing Privately Held Business in 2004 - our first year of eligibility. ecfirst assists organizations with their compliance initiatives for a secure information infrastructure that is compliant with regulations such as HITECH, HIPAA, ISO 27000, or federal and state legislations (such as California or Massachusetts).

ecfirst serves a Who's Who client list that includes technology firms, numerous hospitals, state and county governments, and hundreds of businesses across the United States and abroad. A partial list of clients includes Microsoft, Symantec, HP, PNC Bank, McKesson, EMC, IBM, Principal Financial, U.S. Army, U.S. Dept. of Homeland Security, U.S. Dept. of Veterans Affairs and many others.

Talk to ecfirst and you will find an organization that is passionate about the services we deliver and exceptionally devoted to its clients.

We deliver value with intensity and are paranoid about performance for your organization.

For more information, please visit http://www.ecfirst.com/.