ED Coding and Reimbursement Alert

Question: We uncovered a small data breach in our practice that impacted about 225 patients. Do we need to contact anyone since the breach was so small and we contained it?

AAPC Forum Participant

Answer: Yes, no matter the size of the breach, you still must report to the Department of Health and Human Services (HHS). However, first make sure the event is an actual breach, which is defined by HHS as: “Generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” If you do uncover a HIPAA breach in your office, know that there are different timelines for reporting to the feds. The larger the breach, the shorter the turnaround time to let the feds know the details.

Here’s a basic breakdown of what you need to remember when reporting the violation to HHS.

Breaches that include more than 500 individuals:

• As a covered entity (CE), you “must notify the [HHS] Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach,” notes the HHS Office for Civil Rights (OCR) breach notification guidance.
• Your breach notification must be filed electronically; plus, the data you submit and all information on the required forms must be complete and cover all aspects of the breach.
• You must notify the media — and similarly to alerting the HHS Secretary, you must let the press know ASAP.
• You need to let the individuals know that their PHI was breached through first-class mail or in email within 60 days of the breach — if the impacted party has previously agreed to receive correspondences electronically, the OCR says.

Breaches that include fewer than 500 individuals:

• As the CE, you need to alert the HHS Secretary of the breach within 60 days of the calendar year in which the breach occurred.
• You need to submit your forms electronically. However, even if your HIPAA breaches are on different days and concern different issues, you can still submit them on the same day.
• The individuals whose PHI was affected by the breach must be notified by first-class mail or email, too — within 60 days of the breach.

Tip: Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up business associate agreements (BAAs) that are compliant. The initial task of creating resources and office compliance protocols can be daunting, but it’s essential that you educate your staff and your business partners and set up a breach management plan.