What to Do After a HIPAA Breach?

What to Do After a HIPAA Breach?

by Yenny (SU)

Imagine: One of your office staff members takes a laptop containing PHI (patient health information) home to do some work, when the computer is stolen. Or, maybe another staff member is in a hurry, and accidentally includes a list of confidential patient information (including names, addresses, contact info, social security numbers, etc.) in another patient’s “new patient package” that was sent out in the mail.

In either of these cases, your practice has just committed a serious HIPAA breach.

If any event like this occurs, does your staff know what to do? Do they know who to report the incident to? Is there a HIPAA Security Official present who understands the steps that need to be taken when there is a HIPAA breach? Do they know the breach notification steps? And, Is the HIPAA Security Official receiving on-going training to keep up with the constant changes with PHI security and privacy, and the implications of the HITECH Act passed by Congress to address extensive breach notification requirements?

Mandated Notification and Reporting of HIPAA Breaches, the HITECH Act

When a HIPAA breach occurs, the provider must do the following:

·        Provide notification via first class mail or email to everyone whose PHI was breached, within 60 days. This notification must include a brief description of what occurred, the date of the breach, and the date of the discovery of the breach.

·        This notification needs to include a clear description of the type of PHI involved, as well as the steps the individual should take to protect themselves from potential harm due to the breach.

·        The provider must include a brief written statement as to what the office is doing to investigate the breach, mitigate losses, and protect against any breaches in the future. Be sure to include your contact information.

·        If the breach involves PHI of 500 or more individuals, the provider must notify prominent media outlets.

·        As required, the provider must report all breaches to the Secretary of Health and Human Services (HHS).

It is important to note that ALL breaches must be reported to HHS, per HITECH rules. Some of the most common breaches that are reported include:

·        Unauthorized access of PHI

·        Unauthorized disclosure of PHI

·        Theft

·        Hacking/IT incident

·        Loss

These breaches occurred at, and were reported by, health care provider offices and business associates. This may suggest a lack of training, not understanding the requirements, or simply not adhering to HIPAA observance and compliance.

Costs of a HIPAA Breach

Depending on the size and scope of a HIPAA breach, costs can potentially reach more than $1 million in fines alone. According to a recent study conducted by Protenus, a company that provides patient privacy monitoring, the cost of lost business could be as much as $3.7 million. Then, there are costs for staff to perform mediation and reporting duties, not to mention possible legal costs and prison sentences for those involved in the breach.

Additionally, when you consider the long-term, far-reaching effects on an individual by illegally disclosing PHI in a HIPAA breach, it is easy to understand how this type of situation can be a public relations nightmare, and bring your business to its knees.

If you are concerned about your business’s privacy and security needs, HIPAA compliance, and proper response should you have a HIPAA breach at your office, contact Colington Consulting at 800-733-6379. They are experts in the field of HIPAA and HITECH rules and procedures. Colington Consulting will help you avoid problems and steep fines by bringing your business into complete HIPAA and HITECH compliance, and take you through the necessary reporting and mitigation procedures should you experience a breach. It is what they do best, allowing you to do what you do best…provide health care to your patients.