Practice Management Alert

Remember, definitions of ‘media outlets’ depend on your locale.

Dealing with a breach of the Health Insurance Portability and Accountability Act (HIPAA) at your medical office is enough of a headache. The last thing you want to do is draw the ire of the Department of Health and Human Services (HHS) because you submitted failed to properly notify the media.

Steer clear of any breach notification roadblocks by notifying the individual[s] and the Secretary of a breach each time one occurs. If your breach is especially large, however, it’s time to alert the media.

Medical practices that suffer a breach that affects more than 500 individuals of a state or jurisdiction are bound to provide notice to prominent media outlets serving the area, confirms Laureen Jandroep, CPC, COC, CPC-I, CPPM, founder/CEO Certification Coaching Organization, LLC in Oceanville, N.J.

Check out this FAQ on all the ins and outs of HHS-approved HIPAA breach notifications to the media.

When Do We Have to Notify the Media of a Breach?

As soon as possible. Much like notices to individuals, when the breach is especially large, you must provide media notification of the breach “without unreasonable delay and in no case later than 60 days following the discovery of a breach,” according to the HHS Breach Notification Rule (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/).

Where Do I Send the Media Breach Notice?

According to the Health Insurance Portability and Accountability Act Collaborative of Wisconsin (HIPAA COW), you’ll notify the media with a carefully worded press release to prominent media outlets in the area.

What constitutes a prominent media outlet differs depending upon the state or jurisdiction where the organization’s affected patients reside, according to HIPAA COW.

What works: For breaches affecting 500 or more in a state, HHS could consider a major, general interest newspaper with a daily circulation throughout the entire state as a “prominent media outlet.” If the entire breach occurs in a limited jurisdiction, such as a city, “a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city  —  even though the newspaper does not serve the whole state,” HIPAA COW reports.

What doesn’t: If a newspaper serves a single town with weekly or monthly editions, however, HHS won’t consider it a “prominent media outlet.” Also, a daily special-interest newspaper (focused on sports, politics, crime, etc.) is also not prominent enough, according to HIPAA COW.

When you’re unsure if a media outlet is prominent enough for a HIPAA breach notification, be sure to check with HHS before proceeding.

What Elements Should the Media Breach Notice Contain?

The notice to the media should include the same information as the notice to the individuals, according to Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt. (See Practice Management Alert, Vol. 15, No. 9, to learn how to see an example of an individual HIPAA breach notification.)

In addition to the information on the individual notice, www.hrcare.com recommends your media notification include:

• descriptions of what the practice is doing “to investigate the breach, to mitigate harm to individuals, and to protect against further breaches” and 
• contact information (toll-free telephone number, e-mail address, website, postal address, etc.) for individuals who would like to ask the practice questions about the breach.