WEDI offers breach notification guidance

Healthcare organizations have been experiencing data breaches at record rates. To help, the Workgroup for Electronic Data Interchange (WEDI) has published guidance on required steps to take to determine if a breach of protected health information (PHI) must be reported to affected patients and the Department of Health and Human Services.

The guidance "provides a decision process that can be used to guide efforts in establishing probability and requirements for notification," according to WEDI.

This issue brief provides a decision process that can be used to guide efforts in establishing probability and requirements for notification. - See more at: http://wedi.org/knowledge-center/documents/issue-briefs/resources/2014/02/10/breach-risk-assessment-issue-brief#sthash.ngjtRQhX.dpufThis issue brief provides a decision process that can be used to guide efforts in establishing probability and requirements for notification. - See more at: http://wedi.org/knowledge-center/documents/issue-briefs/resources/2014/02/10/breach-risk-assessment-issue-brief#sthash.ngjtRQhX.dpuf

If compromised information does not include PHI or the PHI is unusable, unreadable or indecipherable to unauthorized persons through encryption or other means, the covered entity does not need to notify patients, the government and the public about the breach. There are also instances where unintentional access to PHI or inadvertent disclosure do not need to be reported because the incidents involve trusted authorized persons or the information disclosed is not retainable by the recipient.

If these exemptions don't exist, the guidance helps users through a risk assessment to determine the probability of a breach and the decision processes necessary to determine whether the breach requires notification. The guidance also includes a series of procedures to implement improvements to the security and confidentiality of PHI.

Access the guidance.