Practice Management Alert
Follow the Path to Breach Notification Decision Making
You may not need to notify HHS.
How can you know for sure when you need to make a breach notification in the event of a potential breach of protected health information (PHI)? Use this breach-notification decision tree, provided by Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, VT.
1. Was there acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule?
a. NO: Not a breach; Document the incident and the determination of “not a breach.”
2. Was the information secured according to U.S. Department of Health and Human Services (HHS) guidance, or destroyed?
a. YES: Not a reportable breach; stop here. Document the incident and determination of “not a reportable breach.”
3. Was the potential breach internal to your organization AND unintentional, in good faith, with no further use, or inadvertent and within the job scope?
a. YES: Not a breach; stop here. Document the incident and determination of “not a breach.”
4. Can the breached information be retained in any way?
a. NO: Not a breach; stop here. Document the incident and determination of “not a breach.”
5. Perform a risk assessment. Is there a “low probability of compromise?”
a. YES: If there is a low probability of compromise, the breach is not reportable; stop here. Document the incident and determination of “not a reportable breach.”
Remember: If you have a small breach (affecting fewer than 500 individuals), you must report the breach to those individuals within 60 days, Sheldon-Dean says. You must also report the breach to HHS no later than 60 days after the end of the year.
If you have a large breach (affecting 500 individuals or more), you need to report the breach to the individuals affected and to HHS within 60 days, Sheldon-Dean explains. But you must also notify major media outlets of the breach when it affects more than 500 individuals in a given jurisdiction.
b. YES: Go to Step 2.
b. NO: Go on to Step 3.
b. NO: Go on to Step 4.
b. YES: If the breached information may be retained in some way, you have a breach. Go on to Step 5.
b. NO: If there is not a low probability of compromise, you MUST report the breach.
Practice Management Alert
- Reimbursement Roundup:
Start the New Year Off With Better Pay Than Expected
But prepare for possible reimbursement drops in April. You can breathe a sigh of relief [...] - HIPAA:
4 Steps Help Your Practice Work Through PHI Breach Assessments
Forget the ‘harm threshold’ and focus on ‘risk of compromise.’ Despite your practice’s best efforts, [...] - CPT® 2014:
Don't Miss Last-Minute CPT® Changes That May Affect Your Coding
Check intro for ‘other qualified health care professional’ clarification. If your shiny new CPT® 2014 [...] - What Would You Do? Clear Up Copay Confusion
Question: Our surgeon routinely has patients come to the office one week after surgery, regardless [...] - Clip and Save:
Follow the Path to Breach Notification Decision Making
You may not need to notify HHS. How can you know for sure when you [...] - Reader Question:
Prepare Employees For Change With 6 Strategies
Question:Our practice will be going through a lot of change in the next few months [...] - Reader Question:
Get the Scoop on ASC Allowed Procedures
Question: I might be transferring to manage our hospital’s ASC location and want to learn [...] - Reader Question:
POS Determines Supply Reimbursement
Question:My doctors are concerned that our practice is losing money on supplies, such as surgical [...] - Reader Question:
Ask for Patient Insurance Card
Question: A patient came to our office. The physician performed an exam and administered an [...] - Reader Question:
Give Address Details for Home Visits
Question: If you are billing home visits (99341-99350) the place of service is 12. My [...] - Reader Question:
Be Ready to Prove Your Case with Modifier 82
Question: Is there a difference in the reimbursement of procedures for modifiers 80 (Assistant surgeon) [...]
