Medicare Compliance & Reimbursement

Hint: Failure to notify your patients of a PHI breach early on can get you in hot water.

As the HHS Office for Civil Rights (OCR) continues to pursue breached practices with a vengeance, 2017 is ramping up to surpass 2016’s compliance woes. Proper notification after a violation is identified can help lessen the financial penalty.

Nuts and bolts: When you expose your patients’ PHI, whether accidentally or purposely, you violate HIPAA. And if you don’t report the breach according to the rules set forth by the HHS and the OCR, you could get nicked for willful neglect of the rules.

“HHS does not take these violations lightly; fines for willful HIPAA neglect start at $10,000 and only increase from that point,” warns Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems LLC, in Charlotte, Vt.

Reminder: Also, you have to file a breach notification as soon as you become aware of it. If a patient finds out that you have breached his PHI and you have not properly notified him, he may file a complaint with HHS. If a patient files a complaint before you file an individual breach notice, it will be too late for you to be in compliance, reports Sheldon-Dean.

Alert These 3 Distinct Groups

Depending on the size and scale of your breach, three different factions must be notified under the Breach Notification Rule. HHS OCR expects you to inform these entities of the violation in this order if a breach occurs:

• Individuals: You must immediately notify any patient, business associate, employee, etc., that the breach affects.
• Secretary: You must notify the HHS Secretary of anybreaches by completing a breach report form, which you can find online at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.
• Media: If you experience a breach that affects more than 500 residents of a state or jurisdiction, you must notify the affected individuals and “provide notice to prominent media outlets serving the state or jurisdiction,” HHS reports.

Here’s What You Send to Individuals Who’ve Been Compromised

As quality care continues to be at the forefront of healthcare, so does patient-focused compliance. Notifying your patients first after a breach is paramount, and the disclosure must include particular elements outlined by the feds in 45 CFR § 164.404(c). The information must have the following:

• The date of the breach.
• The date of the discovery of the breach.
• The information that was breached.
• Steps the individual should take to protect PHI.
• What the covered entity (the medical practice) is doing about the breach. (For example: “Practice is investigating the incident”, “Practice is evaluating mitigating impacts that might have contributed to the breach”, “Practice is forming an action plan to protect against future breaches”, etc.).
• Contact information that the individual can use if he has questions. Be thorough on this one by providing the individual with as many contact possibilities as you can: Practice phone number, email address, postal address, website, etc.

To read the 45 CFR § 164.404(c) from the Government Publishing Office (GPO), visit www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-404.pdf.