Health Information Compliance Alert

A recent enforcement case highlights the importance of timely HIPAA-breach reporting.

Haste makes waste or so they say, but in the case of notifying the feds about a HIPAA breach the opposite is true. The sooner you alert the HHS secretary to the loss of protected health information (PHI) the better — don’t stew over the breach or you will suffer the consequences.

Think About This Recent Scenario

Presence Health in Illinois, which serves thousands of patients with approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, failed to report a HIPAA violation from an incident that occurred in October of 2013 within the breach notification rule allotted time period. Though the organization did report the breach eventually on Jan. 31, 2014, the HHS and the OCR found them in violation.

The verdict. “The OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR,” an HHS news release from Jan. 9, 2017 stated. “Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.”

Here’s a Quick Overview of the Breach Notification Rule

In this case, it was the discovery of a circulated operating room schedule and the unauthorized disclosure of the patients’ PHI that was the HIPAA-breach culprit. But, violations can range from common HIPAA blunders caused by staff and business partners’ lack of compliance understanding to large-scale loss of PHI and ePHI through cybersecurity fraud, theft, and hacking. 

If you uncover a HIPAA breach in your office, this is what you need to remember when reporting the violation to the HHS.

Breaches that include more than 500 individuals:

• “A covered entity must notify the secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach,” the HHS Breach Notification guidance says. 
• It must be done electronically, and all information on the forms must be complete and comprehensive regarding the breach.
• The media must be notified.
• The individuals must be alerted to the loss of their PHI. 

Breaches that include less than 500 individuals: 

• The covered entity must alert the HHS secretary of the breach within 60 days of the calendar year in which the breach occurred. 
• It must be done electronically, but the breaches, even if they are on different days and concern different issues, can be submitted on the same day.
• The individuals must be notified.

Communication Is Key

“This settlement underscores the importance of implementing the breach notification rule as part of HIPAA compliance, and not just the privacy and security rules,” advises Michael D. Bossenbroek, Esq. of Wachler & Associates, P.C. in Royal Oak, Michigan. “This applies to covered entities of any size.” 

Plan and protect. Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up business agreements that are compliant, but the initial task of creating resources and office compliance codes can be a daunting task. Educating both your staff and business associates on what a breach consists of and why and how it must be reported to avoid penalties is paramount.

“It may sound basic, but stressing effective and timely communication within the entity is one of the keys, so that any suspected breach can be evaluated and, if necessary, reported within the required time frames,” Bossenbroek says.

Resource: For an overview of the Breach Notification Rule, visit https://www.hhs.gov/hipaa/for-professionals/breach-notification/.