Ophthalmology and Optometry Coding Alert

Answer: In general terms, a breach is “an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information [PHI],” according to HHS Office for Civil Rights (OCR) guidance. Moreover, a covered entity (CE) or business associated (BA) that fails to take the appropriate steps to curb or manage any impermissible uses and disclosures of PHI could easily find itself on the wrong side of a HIPAA violation — and the financial and professional price can be very steep.

The costs of non-compliance are usually far greater than the costs of compliance with HIPAA — the Rules are, for the most part, common-sense based, experts say. Here are the three important terms to know that impact OCR’s decision making on HIPAA violations and penalty amounts:

1. Reasonable Cause: An act or omission in which a CE or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.

2. Reasonable Diligence: Business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

3. Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

Heads up: Willful neglect violations must be investigated and penalties are mandatory, so ensure that your practice is diligent about maintaining compliance to the HIPAA rules. If you are unsure whether your practice is compliant, speak with an attorney or a privacy expert who can review your practice’s operations and make recommendations to help you improve.