A Marion Star expose claims that Morrow County EMS exposed private patient data from 2008-2011 and did not notify patients once the breach was discovered. HIPAA and HITECH acts have rigid disclosure guidelines and penalties for non-compliance. Even the smallest disclosures can have massive consequences. For example, an Idaho Hospice was fined $50,000 for losing an unencrypted laptop with 441 patient records on it. Not reporting quickly has been a particular target of regulators.
As a reminder, notification of privacy breaches must be made “without unreasonable delay” but no later than 60 calendar days after discovering the incident to:
- The individuals whose personal health information was disclosed. They must be provided details on what efforts are being taken to investigate and steps taken to mitigate future breaches. You must include this information on your website if you have outdated contact info for ten or more individuals.
- To the department of Health and Human Services immediately if over 500 individuals are affected, you must report to them HHS annually all disclosures no matter what size.
- Prominent media outlets must be notified if the breach involves 500 or more individuals who are residents of one state or jurisdiction.
Many insurers are including small limits within liability policies to cover the cost of responding, contact an ambulance insurance broker today.