Pathology/Lab Coding Alert

If your lab faces a breach of patient protected health information (PHI) or electronic PHI (ePHI) under the Health Information Portability and Accountability Act (HIPAA), you need to know how to react, and prepare to face the consequences.

But first, you can act to guard against potential fallout with the HHS Office for Civil Rights (OCR). “A comprehensive HIPAA plan serves to reduce the risk of a breach, as well as mitigate potential fines in the event of a breach,” counsels attorney John E. Morrone, partner with Frier Levitt LLC in New York City. “Recent settlements indicate that OCR will continue to penalize entities not only on the basis of a breach itself, but also for failing to have in place the requisite safeguards that HIPAA requires to limit and/or prevent such an occurrence.”

Read on to see how you can strengthen your lab’s HIPAA breach management.

Know What Counts as Breach

A breach occurs when a covered entity (CE) releases a patient’s PHI or ePHI to someone other than the patient without permission.

“According to the Privacy Rule, a breach is any acquisition, access, use, or disclosure in violation of the privacy rule — and that covers a lot,” says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont.

However, there are exceptions under which access to PHI is not considered a breach, and CEs aren’t required to report it. They include:

Unintentional internal use, in good faith: For instance, if you put a folder on the wrong desk and a physician opens it, says, “Oh, these aren’t my patient’s notes, these belong to someone else” and closes it, you aren’t required to report that.

Inadvertent internal use, within job scope: For example, someone looks up the records for Mary Smith but opens the notes for the wrong Mary Smith, realizes her mistake, and then closes out the notes.

Information cannot be retained: For instance, you lose a box of medical records and you find them the next day with the box still sealed the way you left them, and you know the information was not breached.

Know When to Report a Breach

When CEs expose patients’ PHI, whether accidentally or purposely, they violate HIPAA, requiring them to report it — ASAP.

Although the OCR defines different breach notification obligations for large (500 or more individuals) or small (fewer than 500 individuals) breaches, CEs can’t wait until the scope is defined before reporting the breach to the OCR with at least an initial estimate.

Consequence: If a CE doesn’t report the breach according to the rules, it could get nicked for willful neglect.

If a patient finds out that her PHI was breached and the CE did not properly notify her, she may file a complaint with HHS. If a patient files a complaint before the CE files an individual breach notice, it will be too late for the organization to be in compliance, reports Sheldon-Dean.

Know What to Report

Depending on the size and scale of a breach, you must notify three different factions under the Breach Notification Rule. OCR expects CEs to inform these entities of the violation in this order if a breach occurs:

Individuals: You must immediately notify any patient, business associate (BA), employee, etc., that the breach affects.

Secretary: You must notify the HHS Secretary of any breaches by completing a breach report form, which can be found online at www.hhs.gov/hipaa/for-profes­sionals/breach-notification/breach-reporting/index.html.

Media: If you experience a breach that affects more than 500 residents of a state or jurisdiction, you must notify the affected individuals and “provide notice to prominent media outlets serving the state or jurisdiction,” OCR states.

Notifying patients after a breach is paramount, and the disclosure must include particular elements outlined by the feds in HIPAA. The notification must have the following:

• The date of the breach
• The date of the discovery of the breach
• The information that was breached
• Steps the individual should take to protect PHI
• What the CE is doing to remedy the breach (for example: “Lab is investigating the incident.”)
• CE contact information in case the individual has questions, including practice phone number, email address, postal address, website, etc.

Know Other Administrative Requirements

• Following a breach and appropriate reporting, CEs have an extra duty to fulfill other obligations. These administrative follow-up requirements include:
• Establishing or updating breach notification policies and procedures
• Staff training on breach protocols
• Sanctions against employees who don’t comply with the rules

Expert advice: Don’t try to hide a breach — accept it and follow the policies and procedures, advises attorney Lauren M. Ramos, with McGuire Woods LLP in Richmond, Virginia. “Collect all the facts as quickly as possible, mitigate the damages to [the] greatest extent possible, and loop in legal counsel as early as possible.”

OCR looks favorably on those who comply with the HIPAA breach requirements, Ramos indicates. “Providers should remember that OCR does not investigate every breach, especially small ones. In fact, OCR likely investigates only a small percentage of all reported breaches. Following the correct procedures and reporting a breach does not mean that an OCR investigation is inevitable,” she counsels.