Question: What must we do in terms of breach notification if we mail a statement to the wrong patient? The statement doesn’t have much information on it, other than the fact that there was an office visit, maybe the date of the visit and that the patient went to the visit. Would we have to go through the whole breach notification process?
New Hampshire Subscriber
Answer: “This is a typical situation,” says Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt. “The kind of breach that happens most often is a piece of paper that winds up in the wrong envelope and goes to the wrong address.”
And the statement doesn’t even necessarily need to have very much information on it, “but if it does have somebody’s name and something about an office visit in any way, then that really is the kind of information you need to report as a breach,” Sheldon-Dean says.
But this is a relatively straightforward process because the breach involves just one individual’s information. You have to notify only that one individual, but you do need to send the patient the official notification, Sheldon-Dean stresses. And the breach will be one that you should submit in your annual accounting to the U.S. Department of Health and Human Services (HHS) before 60 days after the end of each year.