Despite clear compliance plans, annual training, and limiting access, there is still a chance your practice could experience a breach of protected health information (“PHI”). A “breach” means the use or disclosure of unprotected information that is not permitted by HIPAA and compromises the security and/or privacy of the PHI. Most practices allocate considerable resources towards preventing breaches, but it is a good idea to review procedures in case a PHI breach should occurs.
- When a breach occurs, first gather information. Determine what type of PHI was disclosed, who accessed it without authorization, and the number of patients exposed.
- Next, make every attempt to mitigate the damage. Can you ensure that the breached PHI has been destroyed or will be returned?
- Third, provide the necessary notifications. Patients must be notified no later than 60 days from when your practice knew or reasonably should have known of the breach. To help expedite the notification process, make sure that your patient contact information remains current.
- Finally, review your practice’s compliance plan, training schedules, and access to PHI to help prevent a similar breach from occurring again.
© 2012 Parsonage Vandenack Williams LLC
For more information, contact firstname.lastname@example.org