HIPAA and Data Breaches
Understanding the HIPAA breach policy and having a breach notification checklist can prepare you in case of unauthorized disclosure of ePHI.
Master the complexities of cloud compliance with expert resources and relevant insights.
HIPAA requires that business associates and covered entities retain the following for at least six years from creation date or last effective date, whichever happens to be later.
A written or electronic record of a designation of an organization as a CE (e.g., health plan, affiliated covered entity, etc.) or BA.
Information security and privacy policies and procedures implemented to comply with HIPAA.
All documented settings, activities and assessments required by HIPAA.
All data use agreements and other forms supporting HIPAA compliance.
All signed authorizations and, where applicable, written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgments.
The Notice of Privacy Practices for entities that must provide them.
Designated record sets that are subject to access by individuals.
Documentation of the titles of the persons or offices responsible for HIPAA compliance, including not only those with over-all responsibility for compliance, but also those responsible for receiving and processing requests for amendments by individuals, and those responsible for receiving and processing requests for an accounting by individuals.
Accounting of disclosures of protected health information (PHI).
In addition to understanding what HIPAA requires for retention, covered entities and business associates must also know their other legal requirements for retention, from state, federal, international and contractual requirements. For example, Connecticut state law requires that medical records, some of which go beyond HIPAA’s definition of PHI, be maintained for 7 years.
For more information on HIPAA compliance, check out the Datica Blog. Additional questions? Contact one of our experts today.
Understanding the HIPAA breach policy and having a breach notification checklist can prepare you in case of unauthorized disclosure of ePHI.
This GDPR data breach notification checklist outlines the steps that should be orchestrated by your data protection officer to ensure GDPR compliance.
One of the most challenging aspects of any security and compliance program, including GDPR, is breach notification.