Practice Management Alert

Feds expect you to notify everyone affected by every HIPAA breach.

When you’re faced with a potential breach of the Health Insurance Portability and Accountability Act (HIPAA), the government requires you to file notifications to all parties the breach affects. If you don’t, there could be dire consequences.

Potential penalties: Fines for HIPAA violations can range from $100 to $1,500,000. Spot potential HIPAA violations with this expert advice, and stay out in front of any penalties your practice could face for compromising an individual’s protected health information (PHI).

Look For Compromised PHI To ID Breaches

Quite simply, “a [HIPAA] breach is an improper or unauthorized use, disclosure, or access of protected health information (PHI),” explains Cyndee Weston, CPC, CMC, CMRS, executive director of the American Medical Billing Association  (AMBA) in Davis, Ok.

Official definition: The U.S. Department of Health & Human Services (HHS) defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the … [PHI].”  

HHS presumes all impermissible uses or disclosure of PHI to be breaches “unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.”

Example: You are sending a fax to the local orthopedist’s office containing a patient’s PHI. You mistakenly misdial the fax number, sending the patient’s PHI to the wrong fax number.

According to Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt., other common HIPAA breaches include, but are not limited to,:

• mailing the wrong PHI to a patient or business entity

• losing an unencrypted laptop or memory stick containing PHI

• using unsecure digital communications for professional purposes involving PHI over the Internet.

Bad news: In addition to these typical HIPAA violations, hackers are starting to assault medical practice’s records in an effort to obtain PHI and other personal information, Sheldon-Dean warns.

HIPAA Breaches Aren’t All Business-Related

Though most breaches occur within the realm of a medical practice’s business operations, some PHI violations bleed into providers’ personal, and in some cases political, worlds.

According to Weston, when a physician discusses a patient’s medical history with a friend or family member that the patient has not authorized to access his medical records or information, it might be a breach. This will depend entirely on the situation, but everyone in the practice should mind what they say about patients’ PHI outside of the office just to be safe.

Weston has also been on the receiving end of a HIPAA violation, which shows just how prevalent — and unexpected — these breaches can be.

“My local dentist sent out a political letter asking patients to vote for a specific candidate running for state office,” Weston says. “He used his patient list to send the letters out. He violated HIPAA because he misused my address, which is an identifier of PHI to send me information unrelated to my treatment and care.”

Resource: Wondering what information constitutes PHI? Check out the list of 18 HIPAA identifiers at http://cphs.berkeley.edu/hipaa/hipaa18.html.  

Best bet: Be on the lookout for PHI compromises everywhere. The better you get at spotting PHI vulnerabilities, the better you’ll be at preventing HIPAA violations.

Notify ‘Individuals,’ Secretary Of Breaches

When your practice commits a HIPAA breach, HHS wants you to provide notifications to three entities: any affected individuals; the HHS Secretary; and, in certain circumstances, the media.

Here’s what HHS expects you to do for each of these populations should a breach occur:

• Individuals: You must immediately notify any patient, business associate, employee, etc., that the breach affects. 

• Secretary: You must notify the HHS Secretary of any breaches by completing a breach report form, which you can find online at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

• Media: If you experience a breach that affects more than 500 residents of a state or jurisdiction, you must notify the affected individuals and “provide notice to prominent media outlets serving the state or jurisdiction,” HHS reports.

Bonus: For more information on filing individual HIPAA breach notifications, see “Form Your HIPAA Breach Notifications Around This Template” on page 68.