Uh-oh, That’s a HIPAA Breach!

Handle a breach with diligence: Investigate it, mitigate it, and implement corrective processes.

Even a single patient’s HIPAA breach in 2013 needs to be submitted to the OCR by Feb. 28, 2014.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has undergone many provisional changes over the years. Most recently, the U.S. Department of Health & Human Services (HHS) published a final omnibus rule in the Jan. 25, 2013 Federal Register (45 CFR Parts 160 and 164). This final rule implements statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), to strengthen the privacy and security protection for individuals’ protected health information (PHI).

Under the rule, all covered entities (CEs) must notify a patient of a breach of his or her unsecured PHI. The final rule clarifies that any impermissible use or disclosure of PHI is presumed to be a breach, unless the CE or business associate (BA) demonstrates there is a low probability that the PHI has been compromised. This puts the burden of proof on the CE or BA to prove it had the necessary permission to disclose, or that there was a low probability the PHI was compromised as a result of the disclosure.
Although an assessment of “harm” is no longer the standard for determining a breach under the final rule, inappropriate PHI use or disclosure may not be considered a reportable breach if the CE can prove (through a documented risk assessment) that the unauthorized acquisition, access, use, or disclosure of PHI did not compromise the patient’s security or privacy. For example, it may not be a reportable breach under the rule if a fax containing PHI is sent in error to another CE if the CE who received the PHI in error destroys the PHI and reports to the sender CE that it has done so.
How to Notify a Patient of a Breach
Handling a breach should be understood well enough by your practice’s privacy officer that risk assessments and patient notifications can be done routinely when a potential breach is suspected by the practice.
The government wants you to respond to a breach in a timely manner, which is outlined in HIPAA to be “without unreasonable delay and in no case later than within 60 calendar days of when you first discovered the breach.”
The rule requires a practice to send written notice of the breach to the affected patient by first class mail (or email if the patient has agreed to receive communications from the practice electronically). It should be as soon as possible after completing your investigation of the breach and before the aforementioned 60 calendar days are up.
The notification to the affected patient should include:
1.  A brief description of what happened;
2.  The date of the breach and the date the practice discovered the breach;
3.  A description of the type of PHI involved in the breach (e.g., name, social security numbers, diagnoses information, address, date of birth, etc.);
4.  Steps the patient should take to protect him- or herself from potential harm as a result of the breach;
5.  An apology from the practice that the breach occurred;
6.  A brief description of what the practice is doing to investigate, mitigate, and protect against further breaches; and
7.  Contact procedures for more information, which must include a toll-free number, email address, and website or postal address.
If the breached information contained a Social Security number or other sensitive information, such as a credit card number, consider purchasing one to two years of credit monitoring services (through the three major credit bureaus) for the affected patient. This will help mitigate any harm to the patient as a result of the breach. If you do this, include information in your notification letter for how the patient can take advantage of your credit monitoring services offer.
Write the letter to the patient as plainly as possible, using clear and understandable language (see the Model Letter of Breach Notification, below). Be careful not to further disclose any information to the affected patient that isn’t allowable under HIPAA (e.g., the name of another patient who may have incorrectly received his or her information).
Substitute Notice
If there is insufficient or out-of-date contact information for patients who are affected by the breach, the final rule allows for you to provide “substitute notice” to affected patients. This notice must be “reasonably calculated” to reach the patients. You can provide substitute notice using an alternative form of written notice, telephone, or other methods of contact. If you do not have sufficient contact information for 10 or more of the patients affected by the breach, you must post on your website’s home page for a period of 90 days a conspicuous notice of what happened, or post a conspicuous notice in major newspapers and/or broadcast media in the areas where the affected patients live. These postings must also include a toll-free phone number that is active for at least 90 days, which a patient can call to learn if his or her PHI was included in the breach.
Reporting the Breach to the Government
A practice is also required to report the breach to the HHS Office for Civil Rights (OCR). Breaches involving one to 499 patients do not require simultaneous notification to the OCR when you send the breach notification letter(s) to the affected patient(s). In these cases, you have until 60 days past the end of the calendar year (the year in which the breach occurred) to notify the OCR. As such, you must complete the notification of 2013 breaches to the OCR by Feb. 28, 2014 (60 days after effective date of Jan. 1, 2014). All such notifications are made through the secretary’s website, using its form (go to www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html).
Any breach involving 500 or more patients’ information requires you to notify the OCR at the same time you send the notification letters to the affected patients. If 500 or more patients’ data is affected in a particular area, notification to the media is also required. This is most often done by issuing a press release to the local media in the area where the affected patients reside.
If you are diligent in identifying breaches, take the necessary steps to mitigate a breach, and implement in your practice any corrective processes and/or training to ensure a similar incident does not happen in the future, your practice should experience few repercussions.

Bio: Marcia L. Brauchler, MPH, CPHQ, CPC-P, CPC-H, CPC-I, is a healthcare consultant and founder of Physicians’ Ally, Inc. She advises physicians and practice administrators on managed care contracts, reimbursement, coding, and compliance. Brauchler’s firm is selling updated HIPAA Policies and Procedures at www.physicians-ally.com/hipaacompliance. She is a member of the Denver, Colo., local chapter.
John Verhovshek
Latest posts by John Verhovshek (see all)

About Has 576 Posts

John Verhovshek, MA, CPC, is a contributing editor at AAPC. He has been covering medical coding and billing, healthcare policy, and the business of medicine since 1999. He is an alumnus of York College of Pennsylvania and Clemson University.

Comments are closed.