How To Handle a HIPAA Breach

According to the website for Health and Human Services: A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

In plain English, a breach happens when protected health information (PHI) is disclosed or used in a way that is outside of the scope of what the HIPAA privacy rules allow and has not been authorized in writing by the patient. There are several different groups of people that are liable for HIPAA violations. Healthcare providers, employees of healthcare providers like managers and office staff, and any third party who “cause, aid or abet, counsel, command, induce, procure, or conspire” with someone in the healthcare industry to violate HIPAA.

In 2010, 5.4 million individuals were affected by large breaches. The top five types of breaches were theft, loss of electronic or paper records containing PHI, unauthorized access to use or disclosure of PHI, human error, and improper disposal of paper records. In 2010, small breaches affected 50,000 individuals and the most common cause was “misdirected communication” that affected only one individual.

The rules for handling a breach are dependent on the number of people affected. Healthcare entities are required by law to inform patients when a breach has been made. Acceptable forms of communication are first-class mail or email if the patient has signed the appropriate consent forms. If ten or more individuals have outdated or insufficient contact information, then a blanket notice must be put on the homepage of the entity’s website or in local print or broadcast media for 90 days with a toll-free number to contact the office that must be active for 90 days. Anytime PHI of more than 500 individuals is breached, the media must also be notified within 60 days.

Besides the patient, the proper government agencies must be informed. Forms must be submitted, with a separate form for every breach. If there are more than 500 affected individuals, there is a 60-day deadline for alerting the Depart of Health and Human Services and The Office of Civil Rights. For less than 500 affected, then notice of breaches must be given annually. The law states that the report must be made within 60 days of the end of the calendar year the breach was made in.

The time clock to take action starts as soon as a breach is discovered. In order to execute a quick investigation and meet the deadlines set forth by the HHS, every office should have a compliance plan. Having a protocol for all types of breaches will ensure that if something does happen then it can be dealt with in a swift and timely fashion. Consult with a healthcare attorney to develop a plan for different scenarios, as different types of breaches call for slightly different steps. Giving staff the proper tools to identify a breach is imperative, as is ensuring everyone understands the protocol in the case of a breach. Education helps everyone in the office understand what constitutes a breach and therefore what behaviors and actions should be avoided.


Annual Report to Congress on Breaches of Unsecured PHI for Calendar Years 2009 and 2010