Practice Management Alert

Avoid fines for lax notification, which start in five figures.

If a Health Insurance Portability and Accountability Act (HIPAA) breach occurs at your practice, you are bound by federal law to notify any individual that the breach impacts. For notification purposes, this includes patients, business associates, employees, etc.

According to the experts, the penalties for not reporting a breach can be severe.

“If you don’t report the breach according to the rules, you are subject to the penalties for willful neglect of the rules,” warns Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt.

Further, if the patient finds out about a breach and you didn’t properly notify him, “he may file a complaint with HHS [Department of Health and Human Services], at which point it will be too late to be in compliance,” continues Sheldon-Dean.

Help’s here: Use this sample template as a guide when crafting your own HIPAA breach notification, but make sure you are using it as a guide only. If your practice isn’t prepared to offer a full year of free credit monitoring, for instance, be sure to reword that part of the letter.

Sample HIPAA Breach Notification Letter

[Affected Individual’s Name]

[Affected Individual’s Address]

Dear [Affected Individual]:

This letter is part of [Provider’s Name] commitment to patient privacy. Everyone at [Provider’s Name] takes the issue of patient privacy very seriously, and it is important to [Provider’s Name] that you are made fully aware of a potential privacy issue.

[Provider’s Name] has learned that your personal information, including name, address, ___________, ___________, and __________, might have been compromised. On [Date of Potential Breach Discovery], we discovered that [Description of Incident and Date of Potential Breach]. We reported the incident to the police because theft may have been involved (if applicable). However, we have not received any indication that any unauthorized individual accessed or used the information.

While we at [Provider’s Name] are doing everything we can to protect your PHI, you can help protect your personal information by:

[Describe steps patient should take to protect themselves:]

[Provider’s Name] is aware of how important your personal information is to you. If you choose, as an added security measure, we are offering one year of credit monitoring and reporting services at no cost to you (if applicable). This service is performed through [Name of Vendor], an organization that watches for and reports to you unusual credit activity. [Name of Vendor] will also request that the three credit bureaus place a “Fraud Alert” on your credit report.

If you would like to receive this service free of charge for a year, please respond “yes” by checking _______ or “no” by checking ________.

We understand that this may pose an inconvenience to you. We sincerely apologize and regret that this situation has occurred. [Provider’s Name] is committed to providing quality care, including protecting your personal information, and we want to assure you that we have policies and procedures to protect your privacy.

If you want to take advantage of the free credit monitoring service, or if you have any questions, please contact [Provider’s Phone Number].

Sincerely,

[Name] Privacy Officer

[Provider’s Company Letterhead]