Many physicians may not fully understand the breach reporting requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) and further enforced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. A breach is considered any acquisition, access, use or disclosure of Protected Health Information (PHI) which compromises the security or privacy of the PHI. However, if the disclosed PHI has been rendered unusable, unreadable, or indecipherable to unauthorized individuals, an adequate risk assessment may determine that a sufficiently minimal or nonexistent risk is present, thereby excluding the event from the definition of a breach.
The most basic example of a breach occurs when one patient’s records are accidentally sent or disclosed to another patient or individual. While this may seem trivial in a circumstance in which the content disclosed is rather limited, physicians must be aware of how to identify a breach and understand their obligations with respect to reporting.
Every HIPAA breach is reportable; the differentiating factor in reporting is determined based on the number of individuals affected by the event. In instances in which fewer than 500 individuals are affected by the breach, practices must maintain a system of logging or otherwise documenting these breaches which occur during the calendar year. Practices must then submit a detailed account of all such events to the Secretary of the U.S. Department of Health and Human Services (HHS), through the HHS Office for Civil Rights, no later than 60 days after the end of the calendar year. Immediate notification to the Office for Civil Rights is required in the event that a breach affects more than 500 individuals.
Frier Levitt is experienced in handling individual and government breach notifications for violative events of all sizes. If you believe that a HIPAA breach has occurred within your practice, contact us for assistance in assessing your reporting obligations under HIPAA.
