What Should I Do If I Discover A Breach of PHI?

(September 6, 2012): What should you do if you discover a breach of PHI (Protected Health Information). The short answer is: it all depends on who you are. With the rise in concern over and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), patients, families, practitioners, and health care executives need to know how to handle protected health information (PHI). PHI consists of information that falls into any 1 of 18 established categories which can be used to identify an individual and/or their medical condition or diagnosis. HIPAA is designed to protect patients from the wrongful use or disclosure of PHI, as well as security breaches affecting PHI. In the past few years, security breaches of PHI have hit epidemic proportions; doctors, nurses, billers, and hospital administrative/executive staff have reported loss or theft of hundreds of laptops, flash drives, CDs, and other portable electronic devices. And as you know, these devices can hold hundreds and even thousands of medical records and other health information containing PHI. So when even a single computer or flash drive is stolen and represents a breach of PHI, the effect of this incident can be felt by every stakeholder and could result in tremendous penalties levied by the Federal government. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) and its private contractors have recently doled out millions of dollars in fines for HIPAA violations. That's why it is so important to know how to handle a breach of PHI.

I. Patients and Their Families:

If you are a patient or a family member of a patient who has concerns over the security of your PHI, or if you know of a specific breach of PHI, this is a serious concern. PHI falling into the wrong hands can and does lead to identity theft and Medicare fraud - those who steal PHI then either sell it to identity thieves or use it for their own gain. This can affect a patient's bank accounts, credit rating, or reputation. If you know of a security breach of PHI, you should report this incident to OCR. OCR's website has a section to report complaints, and once OCR receives a complaint, it reviews it and considers opening an investigation into the allegations.

II. Health Care Providers and Suppliers:

If you are a provider, a breach of PHI is a whole different story. First, you need to determine who is the "covered entity" involved in the breach. Nearly all providers and health care practices are covered entities at this point, but it is important to determine whether it is an individual doctor or nurse practitioner or rather hospital or clinic that is the covered entity. Second, we recommend that you contact your health law counsel to advise you on proper disclosure. There are different reporting obligations for a covered entity depending on the egregiousness of the breach and the number of individuals affected by the breach. For instance, no matter how few people are affected by a breach of PHI, a provider must notify them of the breach. But when the numbers start to get higher, the provider must disclose this even further. For a breach involved 500 or more patients, for instance, the provider must notify the Secretary, HHS, as well as local news media, and keep a notice of the breach up on its website for a period of time. As you can imagine, a breach of PHI of this magnitude can really hurt a provider's good reputation. And it is important to keep in mind the 4 tiered penalty structure under HIPAA: violations which could not have been reasonably prevented will incur significantly less fines than those which could have prevented and were ignored.

Of course, you can get yourself and your practice into one of the lower tiers by establishing and maintaining an effective Compliance Plan. An effective Compliance Plan is designed to keep you and your staff honest and on the same page about your compliance obligations, and will serve as a roadmap for your organization in how it conducts its business. Compliance Plans should focus not just on HIPAA (though that is a large part), but also on OSHA, Stark, Anti-Kickback, employee relations, codes of conduct, and billing and coding functions. We recommend that you begin establishing your Compliance Plan through a gap analysis: identifying the standards you must meet, assessing your organization's compliance with those standards, and determining and correcting any gaps found. While this may not eliminate the risk of a breach of PHI, it certainly helps to reduce that chance and also shows the Federal government you are trying to do the right thing.

Robert W. Liles - Managing Partner - Senior Health care attorneys - Liles Parker

Robert Liles counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans. In addition, Robert performs GAP analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.