How to Respond to a HIPAA Breach in 5 Steps

Share: Share on Facebook Share on Twitter Share on LinkedIn Share on Google+

How to Respond to a HIPAA Breach in 5 Steps

Share: Share on Facebook Share on Twitter Share on LinkedIn Share on Google+
Respond to a HIPAA Breach

A provider’s laptop is left in a taxi, a front desk sheet lists patients’ names, a practice’s website is hacked, all easy accidents that could happen to you. And how you respond to a HIPAA breach will play a major role in the penalty – if any – assigned. Be sure to follow these compliance rules to keep your HIPAA Breach response in good standing.

Alert Management That You Suspect You Need to Respond to a HIPAA Breach

If you suspect a breach, inform your practice management, including your HIPAA compliance officer. You’ll want to contact your practice’s legal counsel as well.

Conduct a Risk Assessment to Determine If a HIPAA Breach Occurred

The Breach Notification Rule guidelines require you preform a risk assessment to conclude whether the PHI disclosure incident counts as a breach. The risk assessment must include these factors:

  • the nature and type of PHI involved
  • the identity of the recipient of the disclosed PHI
  • the likelihood that the PHI was viewed or accessed
  • any risk-mitigations strategies

If your risk assessment indicates a low probability that PHI was compromised, congratulations — you’re off the hook. If not, you must proceed with notification.

Respond to a HIPAA Breach with the Needed Notifications

If your practice has a breach of Protected Health Information, you must comply with the HIPAA Breach Notification Rule. Notification requirements depend on the number of records affected. Respond to a HIPAA Breach1 Notify Patients Within 60 Days Via Mail You have a limited amount of time to react to the breach – so start working right away after you determine the incident counts as a breach. You have 60 calendar days after the date of discovery of the breach to notify the affected patients. Typically, you should send the notice via first class mail. In your notice, include the following information:

  • a description of the breach
  • the dates of the breach and its discovery
  • the types of PHI involved in the breach
  • what patients can do to protect themselves
  • what you’ve done to investigate the breach, mitigate the results of the breach, and protect against future breaches.
  • who the patient may contact for further information about the breach.

Report the Breach to HHS Dependent on Number of Patients Impacted Timeframes to report the breach to HHS like the notification entity depend on the amount of individuals affected. Respond to a HIPAA Breach

For further training on how to handle HIPAA breaches, HIPAA expert, Gina L. Campanella, Esq., FACHE, can help. Gina’s webinar breakdowns the key indicators you must know to determine if a reportable HIPAA breach has occurred, and help you avoid the consequences of both over and under reporting. Training Leader’s online trainings are 100% guaranteed to satisfy your needs – or your money back.

Commonly Purchased HIPAA Breach Online Trainings and Resources


Meet Your Writer

Jen Godreau

Content Director

Jen Godreau, CPC, CPMA, CPEDC, COPC, AHIMA ICD-10-CM/PCS Approved Trainer is an expert in practice management, billing and coding, and revenue cycle management, and brings almost 20 years of experience to the content team at Training Leader. Prior to joining Training Leader, Jen led implementations of EMRs and revenue cycle management services including credentialing. She has led teams who have created numerous software programs and tools for compliance, coding, and auditing. Her passion for all things compliance and coding has filled thousands of articles and allowed her to provide practice management consulting and due diligence for hundreds of practices.

Jen's advocacy led to the overturning of neonatology supervision restrictions, creation of new CPT ENT codes, and winning of Medicare monitoring auditing contracts. She wrote the diagnosis study guide for AAPC's Certified Otolaryngology Coder (CENTC) exam and edited the AAPC Professional Medical Coding Curriculum.

Jen has a Bachelor of Arts from Wittenberg University in Springfield, Ohio. She became a Certified Professional Coder (CPC) in 2001, added her designation as a Certified Pediatric Coder (CPEDC) in 2009, became a Certified Medical Coding Auditor (CPMA) in 2010, and a Certified Ophthalmology Professional Coder (COPC) in 2017. She is an AHIMA ICD-10-CM/PCS approved trainer.