All Blogs

How to Respond to a HIPAA Breach in 5 Steps


Posted Aug 25, 2019
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

How to Respond to a HIPAA Breach in 5 Steps

Posted August 25, 2019
Share: Share on Facebook Share on Twitter Share on LinkedIn
Respond to a HIPAA Breach

A provider’s laptop is left in a taxi, a front desk sheet lists patients’ names, a practice’s website is hacked, all easy accidents that could happen to you. And how you respond to a HIPAA breach will play a major role in the penalty – if any – assigned. Be sure to follow these compliance rules to keep your HIPAA Breach response in good standing.

Alert Management That You Suspect You Need to Respond to a HIPAA Breach

If you suspect a breach, inform your practice management, including your HIPAA compliance officer. You’ll want to contact your practice’s legal counsel as well.

Conduct a Risk Assessment to Determine If a HIPAA Breach Occurred

The Breach Notification Rule guidelines require you preform a risk assessment to conclude whether the PHI disclosure incident counts as a breach. The risk assessment must include these factors:

  • the nature and type of PHI involved
  • the identity of the recipient of the disclosed PHI
  • the likelihood that the PHI was viewed or accessed
  • any risk-mitigations strategies

If your risk assessment indicates a low probability that PHI was compromised, congratulations — you’re off the hook. If not, you must proceed with notification.

Respond to a HIPAA Breach with the Needed Notifications

If your practice has a breach of Protected Health Information, you must comply with the HIPAA Breach Notification Rule. Notification requirements depend on the number of records affected. Respond to a HIPAA Breach1 Notify Patients Within 60 Days Via Mail You have a limited amount of time to react to the breach – so start working right away after you determine the incident counts as a breach. You have 60 calendar days after the date of discovery of the breach to notify the affected patients. Typically, you should send the notice via first class mail. In your notice, include the following information:

  • a description of the breach
  • the dates of the breach and its discovery
  • the types of PHI involved in the breach
  • what patients can do to protect themselves
  • what you’ve done to investigate the breach, mitigate the results of the breach, and protect against future breaches.
  • who the patient may contact for further information about the breach.

Report the Breach to HHS Dependent on Number of Patients Impacted Timeframes to report the breach to HHS like the notification entity depend on the amount of individuals affected. Respond to a HIPAA Breach

For further training on how to handle HIPAA breaches, HIPAA expert, Gina L. Campanella, Esq., FACHE, can help. Gina’s webinar breakdowns the key indicators you must know to determine if a reportable HIPAA breach has occurred, and help you avoid the consequences of both over and under reporting. Training Leader’s online trainings are 100% guaranteed to satisfy your needs – or your money back.

Commonly Purchased HIPAA Breach Online Trainings and Resources

 

Meet Your Writer

Jen Godreau
CPC, CPMA, CPEDC, COPC
Content Director

Jennifer Godreau, CPC, CPMA, CPEDC, COPC, has almost 20 years of experience in billing, coding, compliance, and practice management. She develops the content and programs for Healthcare Training Leader, a practice-specific online training company offering step-by-step advice on increasing reimbursement and avoiding compliance violations. Prior to joining Healthcare Training Leader, Jennifer supervised the program delivery for EMRs, practice management systems and compliance and revenue cycle services for more than 6,000 providers. Thousands of software products - encoders, claims management, auditing, and HIPAA compliance, have been created with her teams and helped thousands of practices more easily reduce revenue losses and comply with complex regulations. Her passion for breaking down healthcare rules and requirements in simple steps has provided practical advice, education, and risk reduction strategies to numerous associations, payers and medical specialties especially in primary care, otolaryngology, eye care, and pediatrics. Jennifer’s advocacy resulted in supervision rule revisions, new CPT codes, and CMS compliance contracts. She oversaw the provider auditing and education for one of the major corporate integrity health system settlements. Jennifer has authored and presented on numerous healthcare compliance and payment challenges. Her education guides include the Certified Otolaryngology Coder (CENTC) exam study guide and the AAPC Professional Medical Coding Curriculum. Jennifer has a Bachelor of Arts from Wittenberg University in Springfield, Ohio. She holds certificates in coding, auditing, pediatric coding, and ophthalmology billing and coding, and is AAPC Vice President of the Naples, FL chapter. Please reach out to Jennifer for step-by-step guidance at [email protected]