Practice Management Alert

Experts: Be sure you show HHS how you’ve improved defense of sensitive info.

When it comes to potential breaches of the Health Insurance Portability and Accountability Act (HIPAA) in a medical office, everyone must be aware of HIPAA hotspots. And if a HIPAA breach does occur, it’s not enough to notify the individual of the breach.

If you want to avoid any penalties, you must also formally notify the Department of Health and Human Services (HHS) Secretary.

Read on for more info on how to inform the Secretary the right way and jump out of HIPAA hot water before you face stiff penalties.

Follow Different Timetables for Small, Large Breaches

If you have a HIPAA breach, you must always notify the individual and the Secretary of the breach using this online form: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

Timeline: When a breach affects 500 or more individuals, “covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach,” according to the HHS website.

If the breach affects fewer than 500, “the covered entity may notify the Secretary … on an annual basis,” according to HHS. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which you discover the breaches.

Have Extra Info Ready When Notifying Secretary

When you inform the Secretary of a breach, opinions vary on whether or not you should include any additional information for HHS to consider when reviewing the notice.

Option 1: Some practices prefer to just fill out the online form, send it in and then follow up with any information that HHS subsequently requests. This streamlines the process, and the form includes all of the information you must legally supply the Secretary.

Option 2: Other experts believe you should be as detailed as possible on the initial Secretary notification, and include additional information where possible and appropriate. This makes the process longer, but you’ll probably be less likely to get a callback from HHS for more info.

“It is always in the best interest of the medical practice to include as much information as possible in addition to the [Secretary notification] form if available,” says Laureen Jandroep, CPC, COC, CPC-I, CPPM, founder/CEO Certification Coaching Organization, LLC in Oceanville, N.J.

On many forms, Jandroep says you can provide additional details in the free text portion of the submission area. This information should supplement, modify, or clarify the notice to the Secretary, she continues.

If the breach notification form does not have a free text portion, you can still submit additional documentation as an addendum; the process just takes a couple of steps.

To submit additional information with your Secretary notice, you have to fill out the entire Initial Breach Report first. Then, you should go back into initial report form (https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true) and click “Addendum to Previous Report.” Input your breach tracking number next, and you should be able to submit additional documents to the Secretary, Jandroep explains.

Best bet: Your individual practice should fill out each HIPAA breach form as it sees fit; if HHS wants more information on the breach, however, you need to be ready to supply it to stay out of trouble.

Make Sure to Show HIPAA Practice Improvements

One expert who recommends giving the Secretary as much information as possible up front, whether in the context of the form or as an addendum, is Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt.

Your notice to the Secretary should “include plenty of information about all the things you’ve done since the breach to make sure it never happens again,” he suggests. Anti-breach measures your practice might employ to prevent further HIPAA issues include:

• improvements in business processes,
• adoption of new policies and procedures,
• purchase and implementation of new technologies, and
• implementation of staff training.

If your practice has made any of the above changes, be sure the Secretary knows about them. Lastly, Sheldon-Dean recommends that your notice to the Secretary explains “how you have audited your own compliance, and have seen that your new process ensures that this problem will never return.”