Home Health & Hospice Week

HIPAA:

When Do You Have To Report A HIPAA Breach?

Follow this expert’s decision tree.

Deciding when to take the reputation-threatening step of notifying patients, the feds, and perhaps even news media of a potential breach of protected health information isn’t easy. Make sure you know when you need to go through the breach notification process — and when you don’t.

Use this breach-notification decision tree, provided by Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems in Charlotte, Vermont.

1. Was there acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule?

a. NO: Not a breach; Document the incident and the determination of “not a breach.”

b. YES: Go to Step 2.

2. Was the information secured according to U.S. Department of Health and Human Services guidance, or destroyed?

a. YES: Not a reportable breach; stop here. Document the incident and determination of “not a reportable breach.”

b. NO: Go on to Step 3.

3. Was the potential breach internal to your organization AND unintentional, in good faith, with no further use, or inadvertent and within the job scope?

a. YES: Not a breach; stop here. Document the incident and determination of “not a breach.”

b. NO: Go on to Step 4.

4. Can the breached information be retained in any way?

a. NO: Not a breach; stop here. Document the incident and determination of “not a breach.”

b. YES: If the breached information may be retained in some way, you have a breach. Go on to Step 5.

5. Perform a risk assessment. Is there a “low probability of compromise?”

a. YES: If there is a low probability of compromise, the breach is not reportable; stop here. Document the incident and determination of “not a reportable breach.”

b. NO: If there is not a low probability of compromise, you MUST report the breach.

Remember: “If you have a small breach (affecting fewer than 500 individuals), you must report the breach to those individuals within 60 days,” says Sheldon-Dean. You must also report the breach to HHS no later than 60 days after the end of the year.

If you have a large breach (affecting 500 or more), you need to report the breach to the individuals affected and to HHS within 60 days, Sheldon-Dean explains. But you must also notify major media outlets of the breach when it affects more than 500 individuals in a given jurisdiction.

Other Articles in this issue of

Home Health & Hospice Week

View All