Medicare Compliance & Reimbursement
Master Breach Notification Basics with this Handy Cheat Sheet
If HHS protocols were used and PHI was not lost, it may not be a breach. Practices often struggle with determining if a potential breach of PHI requires notification. Oftentimes the size and scope of the violation necessitates the who, what, when, where, and why of HIPAA breach reporting. Read on for expert advice on breach notification protocols. Use this breach-notification decision tree, provided by Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, Vermont. 1. Was there acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule? a. NO: Not a breach; Document the incident and the determination of “not a breach.” b. YES: Go to Step 2. 2. Was the information secured according to U.S. Department of Health and Human Services (HHS) guidance, or destroyed? a. YES: Not a reportable breach; stop here. Document the incident and determination of “not a reportable breach.” b. NO: Go on to Step 3. 3. Was the potential breach internal to your organization AND unintentional, in good faith, with no further use, or inadvertent and within the job scope? a. YES: Not a breach; stop here. Document the incident and determination of “not a breach.” b. NO: Go on to Step 4. 4. Can the breached information be retained in any way? a. NO: Not a breach; stop here. Document the incident and determination of “not a breach.” b. YES: If the breached information may be retained in some way, you have a breach. Go on to Step 5. 5. Perform a risk assessment. Is there a “low probability of compromise?” a. YES: If there is a low probability of compromise, the breach is not reportable; stop here. Document the incident and determination of “not a reportable breach.” b. NO: If there is not a low probability of compromise, you MUST report the breach. Remember: “If you have a small breach (affecting fewer than 500 individuals), you must report the breach to those individuals within 60 days,” says Sheldon-Dean. You must also report the breach to HHS no later than 60 days after the end of the year. If you have a large breach (affecting 500 individuals or more), you need to report the breach to the individuals affected and to HHS within 60 days, Sheldon-Dean explains. But you must also notify major media outlets of the breach when it affects more than 500 individuals in a given jurisdiction.
Medicare Compliance & Reimbursement
- Telehealth:
CMS Moves Virtual Health Forward
Plus: See more options for physicians as care goes online. The reduction of physicians’ administrative [...] - Billing:
Sort Out EOB FAQs with These 5 Tips
Reminder: The EOB is not a bill. More often than not, patients receive their explanation [...] - Fraud And Abuse:
Millions Made By Whistleblowers Willing to Take Down Fraudsters
Plus: Qui tam law firms reach out to employees. If compliance isn’t your strong suit, [...] - HIPAA:
Master Breach Notification Basics with this Handy Cheat Sheet
If HHS protocols were used and PHI was not lost, it may not be a [...] - Reader Question:
Keep On Top of When Codes Become Invalid
Question: We recently learned that if the procedure code was invalid on the date of [...] - Industry Note:
Have a Plan in Mind for the Disposal of Your Mobile Devices
Mobile devices are a popular and necessary means to delivery efficient care nowadays. Unfortunately, they [...] - Industry Note:
Keep Revalidation Information Safe from Cyber Attack
HIPAA requires that practices safeguard their patients’ protected health information (PHI), but Medicare wants to [...] - Industry Note:
Are HIPAA Changes Around the Bend? Find Out
HIPAA compliance is essential to protect patients’ privacy. However, some industry insiders feel that old [...]
