Cleveland partner Steve Eisenberg was quoted in the September 14, 2009, American Medical News article, "Practices Must Have Plans for Handling Health Data Breaches."
According to the article, starting September 23, if patients' personal data are leaked, the physician has to let them know. This could mean sending a letter to the patient or patients affected or taking out a quarter-page ad in the local newspaper, depending on the type of breach. Additionally, even if a breach never occurs, the new rules, sanctioned by the American Recovery and Reinvestment Act and issued by the U.S. Dept. of Health and Human Services in August, require practices to have a plan in place—just in case, according to the article.
Eisenberg said a practice's first course of action should be to re-examine its privacy and security policies to ensure they reflect current law. With fines that could reach up to $1.5 million for a breach, and the potential for criminal and civil action against individuals, now is a good opportunity for practices to retrain staff members to ensure that they know what's allowed and what could get them into trouble.