A server issue is said to have prompted the breach of 2,500 patient files. Someone walking out of your practice carrying 2,500 patient files would be hard to miss, but you’d probably find it much more challenging to notice if those files were accessed digitally. In reality, the more technologically advanced medical practices become, the more training, resources, and equipment that are required. That’s because technology can break down and hacking gets ever more sophisticated, both of which can compromise your patient privacy systems. Such was the lesson that gastroenterology staff members at a Nevada practice recently learned, after a hacker is said to have accessed some 2,500 patient files via a server. The practice notified the affected patients that their names, mailing addresses, phone numbers, and/or other information may have been accessed, and is letting them know how to protect themselves going forward. Even a minor breach of patient protected health information (PHI) or electronic PHI (ePHI) can spell big trouble for your GI practice under the Health Information Portability and Accountability Act (HIPAA). But you can take action to guard against potential fallout with the HHS Office for Civil Rights (OCR). “A comprehensive HIPAA plan serves to reduce the risk of a breach, as well as mitigate potential fines in the event of a breach,” counsels attorney John E. Morrone, partner with Frier Levitt LLC in New York City. “Recent settlements indicate that OCR will continue to penalize entities not only on the basis of a breach itself, but also for failing to have in place the requisite safeguards that HIPAA requires to limit and/or prevent such an occurrence.” Read on to see how you can strengthen your practice’s HIPAA breach management. Know What Counts as Breach A breach occurs when a covered entity (CE) releases a patient’s PHI or ePHI to someone other than the patient without permission. “According to the Privacy Rule, a breach is any acquisition, access, use, or disclosure in violation of the privacy rule — and that covers a lot,” says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. However, there are exceptions under which access to PHI is not considered a breach, and CEs aren’t required to report it. They include: Know When to Report a Breach When CEs expose patients’ PHI, whether accidentally or purposely, they violate HIPAA, requiring them to report it — ASAP. Although the OCR defines different breach notification obligations for large (500 or more individuals) or small (fewer than 500 individuals) breaches, CEs can’t wait until the scope is defined before reporting the breach to the OCR with at least an initial estimate. Consequence: If a CE doesn’t report the breach according to the rules, it could get nicked for willful neglect. If a patient finds out that their PHI was breached and the CE did not properly notify them, the person may file a complaint with HHS. If a patient files a complaint before the CE files an individual breach notice, it will be too late for the organization to be in compliance, reports Sheldon-Dean. Know What to Report Depending on the size and scale of a breach, you must notify three different factions under the Breach Notification Rule. OCR expects CEs to inform these entities of the violation in this order if a breach occurs: Notifying patients after a breach is paramount, and the disclosure must include particular elements outlined by the feds in HIPAA. The notification must have the following: Expert advice: Don’t try to hide a breach — accept it and follow the policies and procedures, advises attorney Lauren M. Ramos, with McGuire Woods LLP in Richmond, Virginia. “Collect all the facts as quickly as possible, mitigate the damages to [the] greatest extent possible, and loop in legal counsel as early as possible.” OCR looks favorably on those who comply with the HIPAA breach requirements, Ramos indicates. “Providers should remember that OCR does not investigate every breach, especially small ones. In fact, OCR likely investigates only a small percentage of all reported breaches. Following the correct procedures and reporting a breach does not mean that an OCR investigation is inevitable,” she counsels.