Whenever there is a security breach of any size involving protected health information (PHI), the healthcare industry is now required under the HITECH Act to complete an incident-specific risk assessment. ID Experts announced RADAR (Risk Assessment Documentation and Reporting), a tool to measure an incident’s risk index (IRI) by combining the severity of the accident and the sensitivity of the exposed data to quantify the incident’s overall harm threshold.
Designed for healthcare providers, HIPAA covered entities, and business associates, RADAR was developed to efficiently and consistently meet all of the requirements for complying with the HITECH Act Data Breach provisions for security and privacy breach incident harm threshold assessment, documentation, and reporting.
Security breaches are now commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010. In fact, healthcare is the second most breached industry, according to the Internet Theft Resource Center. And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive. Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats, and medical identity theft.
Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.
The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.