Friday, December 4, 2015

Dr. Jones is a News Star and His Patients Will Never Forget

The most misunderstood, unknown, or ignored of the HIPAA compliance rules is Breach Notification.

Dr. Jones had a lot of work to do over the weekend. He took his laptop from his office and put it in his car to take home. On the way home, Dr. Jones made a quick stop at the store. Upon returning to his car, Dr. Jones noticed that his car had been broken into. The laptop from his office was one of the items that had been stolen. Having the laptop stolen did not constitute a breach. However, the patient's information on that laptop did not have proper security protections, so now this situation is a breach. With more than 650 patients and their protected health information in the hands of unauthorized individuals, according to the HIPAA Breach Notification Rule, Dr. Jones must report this incident to each individual patient, the local media outlets, and to the Secretary of Health and Human Services. In all likelihood, Dr. Jones' reputation and that of his practice will suffer greatly. He will lose the trust of his patients and the financial effects will be felt for a long time.

What is the Breach Notification Rule?
Simply put, the Breach Notification Rule requires all covered entities and business associates to provide notification if there is a breach of unsecured protected health information (PHI).

What is considered unsecured PHI?
PHI is considered unsecured when it has not been rendered unusable, unreadable, or indecipherable to unauthorized persons who access it through various means that have been specified in HIPAA guidance. Covered entities and business associates that secure their patients PHI, using documented policies and procedures, are not required to provide notifications following a breach of such information.

What is considered a breach?
Health and Human Services (HHS) states that a breach is, "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."

Are there exceptions to the Breach Notification Rule?
Yes, there are three exceptions to the Breach Notification Rule as defined by HHS:

  1. "Unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority."
  2. "Inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the privacy rule.
  3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
When a Breach Occurs
Following the discovery of a breach, the covered entity must notify each individual whose PHI was, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed. If the business associate discovers the breach, it must notify the covered entity and identify the affected individuals.

Notification must be made without reasonable delay and no later than 60 days after discovery of the breach.

Required Notifications
  • Individuals - Written notice must be mailed by first-class mail to the individuals last know address or sent via email if the individual has specified a preference for email communication.
  • Media - If the unsecured PHI of 500 or more residents of a state or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during a breach, notice must be provided to prominent media outlets serving the state or jurisdiction.
  • Secretary of HHS - All breaches must be reported by March 1st of each year. If the breach involved 500 or more individuals, notice must be provided immediately. Otherwise, the covered entity may keep a log of breaches and submit the information annually. You can find a list of covered entities experiencing breaches of 500 or more individuals here,
It is important for your office to be compliant with the Breach Notification Rule. Not understanding the requirements will not help your office during a HIPAA audit. Privacy Rule, Security Rule, and Breach Notification are all areas that will be scrutinized during an audit of your HIPAA Compliance Program. Being out of compliance with the Breach Notification Rule will put your office at risk and could destroy your reputation that you have worked so hard to build.

For more information on the Breach Notification Rule, visit:

If you have any questions, feel free to email

To subscribe to this blog, enter your email address:

Delivered by FeedBurner