A provider’s laptop is left in a taxi, a front desk sheet lists patients’ names, a practice’s website is hacked, all easy accidents that could happen to you. And how you respond to a HIPAA breach will play a major role in the penalty – if any – assigned.
Be sure to follow these compliance rules to keep your HIPAA Breach response in good standing.
Alert Management That You Suspect You Need to Respond to a HIPAA Breach
If you suspect a breach, inform your practice management, including your HIPAA compliance officer. You’ll want to contact your practice’s legal counsel as well.
Conduct a Risk Assessment to Determine If a HIPAA Breach Occurred
The Breach Notification Rule guidelines require you preform a risk assessment to conclude whether the PHI disclosure incident counts as a breach. The risk assessment must include these factors:
- the nature and type of PHI involved
- the identity of the recipient of the disclosed PHI
- the likelihood that the PHI was viewed or accessed
- any risk-mitigations strategies
If your risk assessment indicates a low probability that PHI was compromised, congratulations — you’re off the hook. If not, you must proceed with notification.
Respond to a HIPAA Breach with the Needed Notifications
If your practice has a breach of Protected Health Information, you must comply with the HIPAA Breach Notification Rule. Notification requirements depend on the number of records affected.
Notify Patients Within 60 Days Via Mail
You have a limited amount of time to react to the breach – so start working right away after you determine the incident counts as a breach. You have 60 calendar days after the date of discovery of the breach to notify the affected patients. Typically, you should send the notice via first class mail. In your notice, include the following information:
- a description of the breach
- the dates of the breach and its discovery
- the types of PHI involved in the breach
- what patients can do to protect themselves
- what you’ve done to investigate the breach, mitigate the results of the breach, and protect against future breaches.
- who the patient may contact for further information about the breach.
Report the Breach to HHS Dependent on Number of Patients Impacted
Timeframes to report the breach to HHS like the notification entity depend on the amount of individuals affected.
For further training on how to handle HIPAA breaches, HIPAA expert, Gina L. Campanella, Esq., FACHE, can help. Gina’s webinar breakdowns the key indicators you must know to determine if a reportable HIPAA breach has occurred, and help you avoid the consequences of both over and under reporting. Training Leader’s online trainings are 100% guaranteed to satisfy your needs – or your money back.