Practice Management Alert

Reader Question:

Get Individual Breach Notifications Right to Avoid Penalties

Published on Wed Sep 07, 2016

Question: We have had a couple of individual breaches of the Health Insurance Portability & Accountability Act (HIPAA) recently. Now, we have to submit notifications of the breach. We’re having some trouble with the individual breach notifications. Could you list some of the elements that you must include when notifying individuals of HIPAA breaches?

Minnesota Subscriber

Answer: A HIPAA breach occurs each time you commit a violation of a patient’s protected health information (PHI) rights. If you don’t report the breach according to the rules set forth by the Department of Health and Human Services (HHS), you could get nicked for willful neglect of the rules. HHS does not take these violations lightly; fines for willful HIPAA neglect start at $10,000 and only increase from that point, warns Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt.

Also, you have to file a breach notification as soon as you become aware of it. If a patient finds out that you have breached his PHI and you have not properly notified him, he may file a complaint with HHS. If a patient files a complaint before you file an individual breach notice, it will be too late for you to be in compliance, reports Sheldon-Dean.

Here are the elements you must include in an individual breach notification, identified in 45 CFR § 164.404(c) on the United States Government Publishing Office (GPO) website:

The date of the breach.
The date of the discovery of the breach.
The information that was breached.
Steps the individual should take to protect PHI.
What the covered entity (the medical practice) is doing about the breach. (For example: “Practice is investigating the incident”, “Practice is evaluating mitigating impacts that might have contributed to the breach”, “Practice is forming an action plan to protect against future breaches”, etc.)
Contact information that the individual can use if he has questions. Be thorough on this one by providing the individual with as many contact possibilities as you can: Practice phone number, email address, postal address, website, etc.

Practice Management Alert

Accounts Receivable:
Take These Tips to Heart, Catch Up on A/R
Here’s why you need an administrator to conduct regular A/R reviews. Some practices inevitably fall [...]

Employee Evaluations:
Look Forward While Discussing Past In Performance Reviews
Experts: A portion of all reviews should be about the future. Tensions can run high [...]

Quick Tips:
Use This Advice to Start Your Evaluation Forms
Here’s why an expert recommends tailoring your evaluations to each job. Before conducting performance evaluations [...]

Reader Question:
Look At 5 'W's' for CPPM® Guidance
Question: We are formulating our budgets for training and certifications for 2017, and I am considering [...]

Reader Question:
Get Individual Breach Notifications Right to Avoid Penalties
Question: We have had a couple of individual breaches of the Health Insurance Portability & Accountability [...]

Reader Question:
Get Creative to Keep Top Performers Happy
Question: In the past year, we have lost two of our best coders and one of [...]

You Be the Expert:
Coding PT vs. Chiropractic Services
Question: We are a local chiropractic practice that often receives referrals from local orthopedists. One of [...]

View All