According to the website
for Health and Human Services: A breach
is, generally, an impermissible use or disclosure under the Privacy Rule that
compromises the security or privacy of the protected health information such
that the use or disclosure poses a significant risk of financial, reputational,
or other harm to the affected individual.
In plain English, a breach
happens when protected health information (PHI) is disclosed or used in a way
that is outside of the scope of what the HIPAA privacy rules allow and has not
been authorized in writing by the patient. There are several different groups
of people that are liable for HIPAA violations. Health care providers, employees
of health care providers like managers and office staff, and any third party who
“cause, aid or abet, counsel, command, induce, procure, or conspire” with
someone in the health care industry to violate HIPAA.
In 2010, 5.4 million
individuals were affected by large breaches. The top five types of breaches
were theft, loss of electronic or paper records containing PHI, unauthorized
access to use or disclosure of PHI, human error, and improper disposal of paper
records. In 2010, small breaches affected 50,000 individuals and the most
common cause was “misdirected communication” that affected only one individual.
The rules for handling a
breach are dependent on the number of people affected. Health care entities are
required by law to inform patients when a breach has been made. Acceptable
forms of communication are first class mail or email, if the patient has signed
the appropriate consent forms. If ten or more individuals have outdated or
insufficient contact information, then a blanket notice must be put on the
homepage of the entity’s website or in local print or broadcast media for 90
days with a toll free number to contact the office that must be active for 90 days.
Anytime PHI of more than 500 individuals is breached, the media must also be
notified within 60 days.
Besides the patient, the
proper government agencies must be informed. Forms must be submitted, with a
separate form for every breach. If there are more than 500 affected
individuals, there is a 60 day deadline for alerting the Depart of Health and
Human Services and The Office of Civil Rights. For less than 500 affected, then
notice of breaches must be given annually. The law states that the report must be
made within 60 days of the end of the calendar year the breach was made in.
The time clock to take
action starts as soon as a breach is discovered. In order to execute a quick
investigation and meet the deadlines set forth by the HHS, every office should have
a compliance plan. Having a protocol for all types of breaches will ensure that
if something does happen then it can be dealt with in a swift and timely
fashion. Consult with a health care attorney to develop a plan for different
scenarios, as different types of breaches call for slightly different steps.
Giving staff the proper tools to identify a breach is imperative, as is
ensuring everyone understands the protocol in the case of a breach. Education
helps everyone in the office understand what constitutes a breach and therefore
what behaviors and actions should be avoided.
Sources:
Annual Report to Congress
on Breaches of Unsecured PHI for Calendar Years 2009 and 2010
www.hhs.gov
No comments:
Post a Comment