In September 2013, the Health Insurance Portability and Accountability (HIPAA) final rule was implemented, which modified the standard by which dentists and other covered entities must notify patients following a breach. A breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI). PHI includes information related to:
· the past, present, or future condition of a patient; providing health care to a patient; or the past, present, or future payment for the patient’s health care;
· that identifies the patient or could reasonably be used to identify the patient; and
· is transmitted or maintained in any form or medium.
Examples of a breach include stolen or improperly accessed PHI, PHI inadvertently sent to the wrong provider, and unauthorized viewing of PHI by an employee of a practice.
Once a breach has been discovered, HIPAA requires specific guidelines that must be adhered to by the practice. Notification of the breach must be provided to the patient without unreasonable delay, which is typically within 60 days of the date of discovery of the breach (or when the practice reasonably should have discovered said breach). The notice must be in plain language and provide the following:
· date of the breach
· brief description of breach and PHI involved
· steps the individual should take to protect against potential harm
· description of steps the practice has taken to investigate the incident, mitigate harm, and protect against further breaches
· the practice’s contact information
Notice must be by personal delivery or mail, unless your patient has permitted contact via email. In the event the breach affects 500 patients or more, additional measures are required including sending notification to major media outlets.
In addition to notifying the patients, the provider must also notify the Department of Health and Human Services (HHS). For breaches affecting less than 500 individuals, a log must be kept of any breach and must be provided to HHS during the calendar year that the breach occurred. A breach involving 500 individuals or more must notify HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of breach.
HIPAA breach requirements cover a broad range of scenarios and require quick action. Situations that may appear harmless may in fact constitute a breach that requires quick notification and remediation. It is important to prevent these situations and to be prepared in the event they occur.
The attorneys at Thomas Law Group have guided many clients through HIPAA issues and questions. Please call Attorney Dean Kadri or one of the other experienced attorneys to assist you.
