The HHS says there is no excuse for dragging your feet on reporting a HIPAA violation.
Haste makes waste or so they say, but in the case of notifying the feds about a HIPAA breach the opposite is true. The sooner you alert the HHS secretary to the loss of protected health information (PHI) the better—don’t stew over the breach or you will suffer the consequences.
Think About This Recent Scenario
Presence Health in Illinois, which serves thousands of patients with approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, failed to report a HIPAA violation from an incident that occurred in October of 2013 within the breach notification rule allotted time period. Though the organization did report the breach eventually on Jan. 31, 2014, the HHS and the OCR found them in violation.
The verdict. “The OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR,” an HHS news release from Jan. 9, 2017 stated. “Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.”
Here’s a Quick Overview of the Breach Notification Rule
In this case, it was the discovery of a circulated operating room schedule and the unauthorized disclosure of the patients’ PHI that was the HIPAA-breach culprit. But, violations can range from common HIPAA blunders caused by staff and business partners’ lack of compliance understanding to large scale loss of PHI and ePHI through cybersecurity fraud, theft, and hacking.
If you uncover a HIPAA breach in your office, this is what you need to remember when reporting the violation to the HHS.
Breaches that include more than 500 individuals:
Breaches that include less than 500 individuals:
Communication Is Key
“This settlement underscores the importance of implementing the breach notification rule as part of HIPAA compliance, and not just the privacy and security rules,” advises Michael D. Bossenbroek, Esq. of Wachler & Associates, P.C. in Royal Oak, Michigan. “This applies to covered entities of any size.”
Plan and protect. Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up business agreements that are compliant, but the initial task of creating resources and office compliance codes can be a daunting task. Educating both your staff and business associates on what a breach consists of and why and how it must be reported to avoid penalties is paramount.
“It may sound basic, but stressing effective and timely communication within the entity is one of the keys, so that any suspected breach can be evaluated and, if necessary, reported within the required time frames,” Bossenbroek says.
Resource: For an overview of the Breach Notification Rule, visit https://www.hhs.gov/hipaa/for-professionals/breach-notification/.