Please review the instructions below for submitting breach notifications.

Place your order now for a similar assignment and have exceptional work written by our team of experts, At affordable rates

For This or a Similar Paper Click To Order Now

Instructions
Activity 3: Cyber Breach Activity (100 points)
This activity is comprised of two parts. (100 points) (A two-page response is required for the combination of Parts A and B.)
You work in a healthcare technology company that provides software technology to 100 hospitals throughout the United States. As a result, your software stores patient data for about 10 million patients across all of your customers. To better protect data, you’re working on a project to deploy encryption technology across all locations so that all customer data is encrypted.
The data is segmented and stored in the following ways:
Five million patient data records in Location A
Two million patient data records in Location B
Three million patient data records in Locations C
The encryption project is about 30 percent complete, with Location C being the first to achieve full encryption. Data in this location, even if breached, can’t be viewed or understood by unauthorized individuals. Today, you learned that a breach happened on your network, and hackers were able to gain access to all three locations.
Part A: Discuss the purpose of patient breach notifications and whether patient breach notification is required in this case. If so, how many notifications need to go out, and within what timeframe should they be sent? (50 points)
Resources:
Page 169 of your textbook
US Department of Health and Human Services – Health Information Privacy
US Department of Health and Human Services – Breach Notification
Part B: Select one of the latest breaches reported to HHS in the following link, and draft a breach notification letter to send to those affected. (50 points)
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:
Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.1
Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.
The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved.
1 NIST Roadmap plans include the development of security guidelines for enterprise-level storage devices, and such guidelines will be considered in updates to this guidance, when available.
Submitting Notice of a Breach to the Secretary
A covered entity must notify the Secretary if it discovers a breach of unsecured protected health information. See 45 C.F.R. § 164.408. All notifications must be submitted to the Secretary using the Web portal below.
A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.
If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.
Please review the instructions below for submitting breach notifications.
Breaches Affecting 500 or More Individuals
If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically by clicking on the link below and completing all of the required fields of the breach notification form.
Submit a Notice for a Breach Affecting 500 or More Individuals
View a list of Breaches Affecting 500 or More Individuals
Breaches Affecting Fewer than 500 Individuals
If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.
Submit a Notice for a Breach Affecting Fewer than 500 Individuals
Pg. 169
Affected Individuals (Patients) In the United States, healthcare organizations must notify individuals (of any number) once the incident has been evaluated and there has been sufficient risk of disclosure.
TIP Under HIPAA, the risk of disclosure threshold is important to determine whether the data incident is a breach under the law (impermissible use). According to the U.S. Department of Health and Human Services, “a breach is, generally, an impermissible use or disclosure under the Privacy Rule that
compromises the security or privacy of the protected health information.” Unless the healthcare organization can show through a risk of disclosure analysis that the protected health information has a low probability of compromise (further disclosure), the disclosure is considered a data breach.
The risk analysis will consist of these considerations:12 ●

The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
The unauthorized person who used the protected health information or to whom the disclosure was made
● Whether the protected health information was actually acquired or viewed
The extent to which the risk to the protected health information has been mitigated
In the event the risk analysis confirms that the incident is in fact a data breach, healthcare organizations in the United States are mandated to notify affected individu-als. Even the form of the notice is prescribed. The individual notice must be within 60 days and in written form by first-class mail or, alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. When the contact informa-tion is out of date or incorrect for 10 or more people, the healthcare organization has to take alternative measures. It can post the notice on the organization’s web site or engage the media to broadcast the information. The notice in any format must include the following elements:
● A description of the breach
● Types of information that were involved ●
What affected individuals can do to reduce chances of additional harm ●
Obtain a credit report, monitor bank accounts, and so on ●
A brief description of what the healthcare organization is doing to investigate the breach, mitigate the harm, and prevent further breaches

Contact information for the covered entity
The contact information should include a toll-free number for individuals to call to determine whethbcier they also were affected by the breach.

Place your order now for a similar assignment and have exceptional work written by our team of experts, At affordable rates

For This or a Similar Paper Click To Order Now

Leave a Reply

Your email address will not be published. Required fields are marked *