ED Coding and Reimbursement Alert

Question: If we think we may have breached a particular patient’s protected health information (PHI), do we just have to send them a notice of the incident? And if one of our business associates (BAs) was the cause of the breach, do we have to do anything, or do the same requirements not apply to BAs?

Tennessee Subscriber

Answer: First, we’ll address the first part of your question. Notifying patients after a breach is paramount, and the disclosure must include particular elements outlined by the feds in HIPAA. The notification must have the following:

• The date of the breach;
• The date of the discovery of the breach;
• The information that was breached;
• Steps the individual should take to protect PHI;
• What the covered entity (CE) is doing to remedy the breach. (For example: “Practice is investigating the incident”, “Practice is evaluating mitigating impacts that might have contributed to the breach”, “Practice is forming an action plan to protect against future breaches”, etc.); and
• CE contact information if the individual has questions, including practice phone number, email address, postal address, website, etc.

As for the second part of your question, BAs, just like your practice, “have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach,” cautions OCR guidance.

Check out the direct liability of BAs at  www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.