Breach Notification [Healthcare Compliance Tips]

Review the HHS and OIG’s breach notification requirements to ensure HIPPA compliance.

Per HIPAA, “a breach is defined as an unauthorized acquisition, access, use, or disclosure of PHI, which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have could retain such information.”

Whew!  That was a lot to type, but hopefully, reading the definition will help you understand why this is a hot topic.

Even the personnel from Insider Data Breach understand the importance of this topic, in which they reported that 43% of breaches were due to employees rushing and making mistakes.

Which is why once you find out that patient information has been compromised, the number of people affected by the breach determines the next steps you will take.

All individuals and HHS officials must first be notified of the breach, in which there are several ways to the notification process, such as:

• Entities have 60 days to report the breach by:
  • Written
  • Mail or email for 10 or more individuals
  • Website
  • By telephone
• Notice to media:
  • 500 individuals or more must be reported immediately to the HHS secretary to be posted on the agency website.
  • 500 or less will be logged and submitted to the secretary.
• Annual breach reports sent to house committees.

The information mentioned above is from the federal perspective, in which you will still need to comply with the state if a breach occurs.

Though your business associates are responsible for breach reporting, this still does not exempt you from liability.  Therefore, you must check in with business associates regularly.

Don’t ever think you are not susceptible to a breach, which is why having an effective compliance program is critical.

 **The opinions and observations from the group/author are not a promise to exempt your practice from fines and penalties.  Research, modify, and tailor the advice to fit your specialty.