Many healthcare organizations can blame healthcare breaches for the stiff penalties many of them have faced, including a spot on the Office of Civil Rights wall of shame. In 2015 alone, there were 253 healthcare breaches, which impacted 500 or more individuals. This means that over 112 million patient records were compromised. But before you breathe a sigh of relief and move on to the next item on your busy to-do list, it’s important to know that HIPAA breaches and consequences are not just limited to large organizations.
Whether you are a solo dentist or optometrist, or a member of a group practice, you are also susceptible to a HIPAA breach. And what’s more, based on their announcement over the summer, the Health & Human Resources Office of Civil Rights plans to start focusing on groups that have incidents involving fewer than 500 individuals. As such, it’s important for you to know ahead of time how to manage a HIPAA breach if or when one occurs. Here are three Cs that will help you understand the steps to take.
Step 1: Clarify
The first step in managing a HIPAA breach is to clarify what is considered a breach. The U.S. Department of Health and Human Services defines it as, “An impermissible use or disclosure of protected health information.” This protected health information (PHI) must be considered unsecured, meaning it is readable, usable or decipherable to unauthorized individuals via technology or other methods.
Step 2: Confirm
Once you are clear on the official definition of a breach, take a close look at the details of your office’s incident to confirm if your patients’ information has truly been compromised. Keep in mind, once unsecured PHI has been disclosed to an unauthorized individual, it is categorized as a breach; however, it’s possible that the status of the situation can change if your office can show that the possibility of compromise is low based on its assessment of the following:
- The type of details in question and the possibility that these could be used to identify the patient
- The individual(s) who has or was given access to the patient’s PHI
- Whether the protected health information was seen or obtained
- The degree to which steps were taken to ensure that this information was secure and not easily accessible
Step 3: Communicate
If you determine that a breach has taken place, communicate, communicate, communicate! Here are the people that you should notify:
- The affected individual. Within 60 days of realizing that there is a breach, your office must make every effort to notify the person(s) in writing and advise them that their information has been compromised. You may email patients if appropriate arrangements were made to do so before hand. Additionally, if you are unable to contact 10 or more patients, you may utilize your website or broadcast media to notify them.
- The media. If the breach impacts over 500 residents in a state or jurisdiction, your office must reach out to a major media group via press release or other means and make them aware of the incident. This must be done within 60 days after the breach.
- The Secretary. You must make the Secretary aware of the situation by going to the Health and Human Services site. There, you will complete and submit an electronic notification, advising this organization of the occurrence. The timeframe for notification to the Secretary varies depending on whether the breach involves 500 or more individuals or less than 500 individuals.
You and your staff work hard every day to provide dental or vision care for your patients. Not only are you providing treatment plans and counsel on how your patients can stay healthy, you are also processing claims, interacting with insurance companies, managing your staff, doing your best to adhere to the HIPAA Privacy Rule and much more.keeping patient records intact and much more. But you’re not perfect. Despite your best efforts, you may have an incident where your patients’ information is disclosed inappropriately. So, take steps to train your staff and create a plan to protect your patients’ PHI. However, be ready to clarify, confirm and communicate if Murphy’s law strikes.