Fines range from $100 to $1,500,000 so strive for compliance.
Often small mistakes won’t make or break your practice, but when it comes to protected health information (PHI) breaches under the Health Insurance Portability and Accountability Act (HIPAA), you have to act fast to avoid additional damages.
Knowing what qualifies as a breach and how to respond when you think there’s been one can keep your practice from facing penalties. Read on to ensure you’re clear on where things can go wrong and how to keep your practice out of hot water.
Look For Compromised PHI to ID Breaches
Quite simply, “a [HIPAA] breach is an improper or unauthorized use, disclosure, or access of protected health information (PHI),” explains Cyndee Weston, CPC, CMC, CMRS, executive director of the American Medical Billing Association (AMBA) in Davis, Ok.
Official definition: The U.S. Department of Health & Human Services (HHS) defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the … [PHI].”
HHS presumes all impermissible uses or disclosure of PHI to be breaches “unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.”
Example: You are sending a fax to a patient’s primary care provider containing PHI about your surgical treatment. You mistakenly misdial the fax number, sending the patient’s PHI to the wrong fax number.
According to Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt., other common HIPAA breaches include, but are not limited to:
Bad news: In addition to these typical HIPAA violations, hackers are starting to assault medical practice’s records in an effort to obtain PHI and other personal information, Sheldon-Dean warns.
HIPAA Breaches Aren’t All Business-Related
Though most breaches occur within the realm of a medical practice’s business operations, some PHI violations bleed into providers’ personal, and in some cases political, worlds.
According to Weston, when a physician discusses a patient’s medical history with a friend or family member that the patient has not authorized to access his medical records or information, it might be a breach. This will depend entirely on the situation, but everyone in the practice should mind what they say about patients’ PHI outside of the office just to be safe.
Weston has also been on the receiving end of a HIPAA violation, which shows just how prevalent — and unexpected — these breaches can be.
“My local dentist sent out a political letter asking patients to vote for a specific candidate running for state office,” Weston says. “He used his patient list to send the letters out. He violated HIPAA because he misused my address, which is an identifier of PHI to send me information unrelated to my treatment and care.”
Resource: Wondering what information constitutes PHI?
Check out the list of 18 HIPAA identifiers at http://cphs.berkeley.edu/hipaa/hipaa18.html .
Notify Individuals, Secretary Of Breaches
When your practice commits a HIPAA breach, HHS wants you to provide notifications to three entities: any affected individuals; the HHS Secretary; and, in certain circumstances, the media.
Here’s what HHS expects you to do for each of these populations should a breach occur: