Online CME | Breach notification provisions

Home > Continuing Education & Events > Courses > Health Providers Facing Stiff HIPAA Regulations > Breach notification provisions

Health Providers Facing Stiff HIPAA Regulations

Breach Notification Provisions

New breach notification provisions are another change to the rules. If a breach of an individual’s protected health information occurs, a covered entity must notify the individual within 60 days. The 60-day-period starts running when an employee or agent of the entity realizes a potential breach – not when the provider determines a breach has in fact occurred after investigation, said Fehn. “As soon as an employee finds out, ‘Oh gosh, I sent a medical bill to the wrong address,’ that’s when the 60 days starts to run. … The problem is people often don’t want to report mistakes right away,” said Fehn. Therefore, health care providers are strongly advised to have policies and training measures in place requiring employees to immediately report a suspected violation, she said.

Breaches involving more than 500 individuals, such as where a laptop or other mobile device containing private patient data is lost or stolen, must be reported to the Department of Health & Human Services and to a major media outlet in your area – in addition to notifying each of the individuals affected. Entities must also keep a log of violations and report them within 60 days of the end of a calendar year.

A health care provider may not be required to report a breach if it determines the breach didn’t cause harm. Such an example may occur where a bill was incorrectly sent but contained only an individual’s name, without additional private information, Fehn suggested. “If you do risk assessment and decide there was not a great risk to the person of any kind of harm, technically you do not have to report it,” she said.

However, this exception has drawn protests from privacy advocates (and disagreement from some senators who wrote the HITECH Act) who say it should be up to the patient to decide if he or she was harmed, said Fehn. She noted that the provision may be changed in light of the controversy. Even if the provision remains, a health care provider must weigh carefully whether to employ it. This is because an entity could face a double penalty (the fines are “per violation”) – once for the privacy violation and again for not reporting it – if it turns out the violation should have been reported. The breach notification provisions are in effect but will not be enforced until February 2010.

Next: "Business Associate" Provision

Course Sections

Resources

HIPAA website
http://www.hipaa.com/
HHS Privacy website
http://www.hhs.gov/ocr/privacy/
Centers for Medicare and Medicaid Services Standards for Electronic Transactions
New Versions, New Standard and New Code Set – Final Rules
American College of Physicians HIPAA Resources Website
(requires membership login)
Stephenson, Correy. “HIPAA changes included in stimulus law,"”Massachusetts Medical Law Report, Vol. 4, No. 4, Summer 2009.
Resichel, Julia. “New HIPAA regs require notice of a ‘data breach,’”
Massachusetts Medical Law Report,
Vol. 5, No. 1, Autumn 2009.