What To Do After a HIPAA Breach
Avoiding security and identity breaches is one of the top priorities of any organization, public or private. But as a medical provider, you must also consider the reality of a HIPAA breach. Avoiding this situation is crucial, but it is equally critical to know what to do if it happens.
The Portland, OR, team at Doug Fir Billing is here to support your practice through conscientious, timely medical billing. We love seeing practitioners thrive as they help their patients thrive. Connect with us today to learn more.
What Constitutes a HIPAA Breach?
In very general terms, a HIPAA breach occurs when a non-authorized person or organization gains access to someone’s personal health information (PHI) through a covered entity or their business associates. Of course, there is much more detailed language in the actual HIPAA code, but that is the basic idea.
Hospitals, clinics, medical providers, and anyone who transmits protected health information electronically all fall under the “covered entity” umbrella. In today’s digital world, that pretty much includes any provider, insurer, or biller.
Sometimes, an information leak does not qualify as a breach. In some cases, inadvertent or unintentional disclosures do not qualify as a HIPAA violation. It is always a good idea to have legal counsel when determining whether a breach has occurred.
What To Do If a HIPAA Breach Happens
No perfect patient management system exists. We have access to significant security measures in the digital realm, but they aren’t foolproof. Human error commonly contributes to unintentional breaches and security mishaps. And hackers seem to adapt to every new advance to continue causing problems.
In short, breaches happen. And they happen frequently. There are about two daily breaches that involve 500 or more personal records. Nearly 95% of the US population has had a compromised medical record.
If your practice falls prey to a violation, malicious or not, it’s critical to take the proper steps to protect your patients and yourself.
1. Stop the Breach
Like plugging a dam, finding and stopping the mishandling of information is vital. Terminate improper access to the protected information and retrieve the data as soon as possible. Interview anyone involved to determine how far the information flowed.
2. Act Quickly
Ignoring or waiting to deal with a situation can compound the problem and open you up to more potential fines. As soon as you know of a breach, reach out to your designated privacy officer and legal counsel and start an investigation.
Moving quickly is critical to stop further damage and to help you avoid escalating penalties. Typically, legal deadlines for addressing a breach begin the moment someone in the organization other than the instigator becomes aware of it.
3. Make Notifications, If Required
Depending on the circumstances and breadth of the breach, you may have to notify various parties. There are many nuances in determining this, so your privacy officer and legal counsel should advise you on the next steps.
If notification is necessary, you may need to contact several different groups. Reports might need to go to any of the following:
Impacted Individuals
Media
Consequences and Penalties
When a significant breach happens, the appropriate government organizations may impose a Corrective Action Plan. If this is the case, you must show that you’ve implemented more protective systems and procedures.
In egregious cases, offenders may receive monetary fines. This penalty is more likely to happen when the breach is widespread, causes harm to the individuals impacted, or was ignored by the organization.
Fines could be less than $200 per incident, especially when a breach is unintentional and quickly corrected. But when agencies can prove willful neglect and a lack of correction, the penalties may approach $2 million per incident.
How To Avoid HIPAA Breaches
Clearly, the best strategy is to avoid any violations in the first place. Here are some of the best practices to help bypass any mishandling of protected health information:
Train every employee on their HIPAA responsibilities upon hiring.
Provide refresher training to each employee regularly.
Never share personal login credentials with anyone.
Never leave physical documents unattended.
Never leave digital storage devices unattended.
Ensure your designated privacy officer has ongoing training opportunities.
Invest in updated, appropriate encryption and IT security options.
The Work-From-Home Challenge
Ensuring HIPAA compliance and data security became more challenging when the COVID-19 pandemic shifted much of the workforce to remote positions. If your employees work from home, you need to be even more vigilant about passwords and access.
Similarly, providers must be cautious about HIPAA compliance when offering virtual telehealth care. Secure servers and using non-personal devices can help keep you compliant.
Outsourced Medical Billing and HIPAA Concerns
Outsourcing your billing needs is an excellent way to streamline your processes, boost your revenue, and create high client satisfaction. But when you hire a medical billing company, it is critical that they are HIPAA compliant. Medical billers absolutely fall under these regulations.
When you select a biller, ask them about their systems for remaining compliant and protecting sensitive information. You owe it to your patients and yourself to have this conversation.
At Doug Fir Billing, we take your compliance seriously. You and your patients deserve the respect, protection, and privacy that HIPAA offers. Our team of billers works with integrity and caution for each of our clients. We help you get the compensation you deserve from insurers while protecting your practice’s sensitive data. As specialists in mental health practices, we are particularly conscientious in safeguarding patient information.
To learn more about how our services can work for you, connect with us today.
