We are all well aware of the epidemic of large data breaches that have been occurring recently. Anthem, Blue Cross, UCLA, the list goes on and on. Over 143 million records breached to date – an astounding figure! Since 2009, when the Office of Civil Rights “Wall of Shame” came into existence, there have been over 1,200 breaches of 500 records or more that have been reported. But what if your practice breaches just 1 record. Is that a big deal? After all, it is just one person who is affected.
Well it turns out that it could be a big deal, and how well your practice is prepared and how you handle it can make a big difference. First, let’s explore how you can breach just one record. The most common way is probably when information regarding a patient is sent inadvertently to the wrong person or entity. Practices release medical records all the time. It is an essential part of medical practice operations. We are all human – some practices have thousands of medical record requests – statistically speaking an error (or a breach) is bound to occur sooner or later. Records can be sent by accident to the wrong recipient, or records that are being released can be commingled. Either way, both issues may constitute a breach. A breach occurs when a patient’s Protected Health Information (PHI) is disclosed to an unauthorized recipient. Just one wrongful disclosure can constitute a breach.
Breaches under 500 records
Many people associate a 500 record breach as the cutoff point for having potential HIPAA issues. Not so. While breaches over 500 records have more stringent reporting requirements, all breaches must be reported. This may surprise some people who thought that only larger breaches are required to be reported. Breaches of less than 500 records can be reported to HHS on an annual basis; breaches over 500 records need to be reported within 60 days. Details of breach notification requirements can be found here, and it is required that breaches be reported via this form. It is imprudent to assume that small breaches don’t have consequences. In 2013, the Hospice of Northern Idaho received a $50,000 fine for a breach of less than 500 records.
Before we get to the details of handling a data breach, let’s take a look at the big picture. Put yourself in the shoes of a patient who has been told that an unauthorized person has seen their medical record. Regardless of how inconsequential you may think the event is, the patient may believe it is serious. In fact, the patient may think it is a huge issue and the sky is falling. Everyone’s perception is their reality, so it is important to treat the situation with the gravity that the patient perceives it to have. It is probably best for practice management to handle the situation, and to assure the patient that everything is being done to investigate the breach and to handle it in the manner prescribed under the HIPAA statutes. If the patient feels you are not handling the situation properly, they have recourse – a formal HIPAA complaint can be initiated. Several years ago, this was probably not an easy thing to do, but now with the Internet, it takes less than 10 minutes. All you have to do is search for “how to file a HIPAA complaint” and the first link that pops up is this HHS page that shows the patient how to file a complaint online. This is where a practice can get into trouble. Every complaint has to be reviewed, and a review can lead to an investigation. The ability to easily file complaints is showing up statistically. The number of complaints investigated by OCR has increased over tenfold in the last ten years, going from less than 2,000 in 2003 to over 14,000 in 2013, the last year data is available.
Investigations and consequences
An investigation is something that should be avoided at all costs. Not only will HHS take a look at the actual breach and how it was handled, but your HIPAA policies and procedures can be reviewed. This is what happened to the Hospice of Northern Idaho. HHS found that HONI had not conducted a Security Risk Analysis, nor had they put into place proper policies and procedures. Here is a quote from the HHS press release regarding the imposed fine: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” said OCR Director Leon Rodriguez.
What you can do
According to Janine Akers, CEO of DataFile Technologies, a HIPAA Compliance eROI and eFiling services vendor, in order to prepare for this event (and everyone should prepare for it, because it will happen in your practice), proper procedures should be developed, documented and rehearsed. Akers states “Ensure your staff is continually trained to handle incidents. Practice scripts to properly handle callers and review documentation annually. Define clear expectations with associated timelines. If you are a practice of more than 5 providers and you don’t have a single incident documented of potential wrongful disclosure from last year, you most likely have a problem. It’s not that you don’t have an incident, it’s that your staff has not reported it to you properly because they most likely do not understand the impact/significance of a seemingly innocent error.”
Whenever an incident occurs an internal investigation should be undertaken. There are rules regarding what does and does not constitute a breach. To begin with, make sure the event is in fact a breach.. Chances are that your practice is not performing a breach analysis on a daily basis, so if a breach or potential breach occurs it is best to have a professional third party help you with the situation. That same third party can help you determine how best to handle the breach, and assist you with reporting the breach to HHS.
Finally, make sure you are HIPAA compliant. Perform an annual Security Risk Analysis; train your employees and make sure you have up-to-date policies and procedures. As mentioned above, a HIPAA breach or complaint could trigger an investigation of your practice that could be very costly and time consuming. It’s perhaps best to close with a quote from Ben Franklin – “an ounce of prevention is worth a pound of cure”