Optometry Coding & Billing Alert

Reader Question:

Handle Potential HIPAA Breaches With Care

Published on Tue Oct 04, 2016

PDF

Question: Our receptionist was asked to fax a patient’s eye exam results to his school so he could pass his driver’s education class. She faxed it directly to the front office of the school and then it got misplaced by the school staff, so the patient’s mother came and picked up a new copy from us. We told our compliance officer about this and she said we need to report it to the patient as a potential HIPAA breach. Could you list some of the elements that you must include when notifying individuals of HIPAA breaches?

Codify Subscriber

Answer: A HIPAA breach occurs each time you commit a violation of a patient’s protected health information (PHI) rights. If you don’t report the breach according to the rules set forth by the Department of Health and Human Services (HHS), you could get nicked for willful neglect of the rules. HHS does not take these violations lightly; fines for willful HIPAA neglect start at $10,000 and only increase from that point.

Also, you have to file a breach notification as soon as you become aware of it. If a patient finds out that you have breached his PHI and you have not properly notified him, he may file a complaint with HHS. If a patient files a complaint before you file an individual breach notice, it will be too late for you to be in compliance.

Here are the elements you must include in an individual breach notification, identified in 45 CFR § 164.404(c) on the United States Government Publishing Office (GPO) website:

The date of the breach.
The date of the discovery of the breach.
The information that was breached.
Steps the individual should take to protect PHI.
What the covered entity (the medical practice) is doing about the breach. (For example: “Practice is investigating the incident”, “Practice is evaluating mitigating impacts that might have contributed to the breach,” “Practice is forming an action plan to protect against future breaches,” etc.)
Contact information that the individual can use if he has questions. Be thorough on this one by providing the individual with as many contact possibilities as you can: Practice phone number, email address, postal address, website, etc.

Optometry Coding & Billing Alert

Optometry Mythbuster:
Don't Perform Surgeries? Global Periods Still Apply to You
Even minor procedures have global periods associated with them. Myth: Because optometrists don’t perform surgeries, they [...]

Compliance:
This Optometrist Had to Return $150K to Medicare
Ensure that you don’t face the same fate with these FAQs. An optometrist in Oklahoma [...]

E/M Coding:
Are You Making This $31 Mistake?
Determine whether you can accurately code this eye care chart. Would the partners at [...]

ICD-10:
Look to 6th Digit for Most Hypotony Diagnoses
Cause of condition may ease your code selection woes. When your optometrist sees a patient [...]

You Be the Expert:
Stamped Signatures Typically Taboo
Question: What are the specifics regarding provider signatures on claims? Is it ever safe for a [...]

Reader Question:
Handle Potential HIPAA Breaches With Care
Question: Our receptionist was asked to fax a patient’s eye exam results to his school so [...]

View All