Arenstein & Andersen
614-602-6550
  • Home
  • About Us / Attorneys
    • G. Gregory Arenstein
    • Nicholas I. Andersen
    • Eric R. McLoughlin
    • Jessica L. Sohner (née Samuel)
    • Erin L. Sanford
    • Ryan L. DeYoung
    • James W. Park
    • Robert E. Putman
    • Ashley Garrison, Esq.
    • Joseph A. Downing
    • Christen M. Shore
    • Kathleen A. Hanley
  • Practice Areas
    • Business Law
    • Taxation
    • Civil Litigation
    • Estate Planning
    • Probate and Trust Administration
    • Columbus Family Law Attorneys
    • Real Estate Law
    • Healthcare Industry Law
    • Intellectual Property
    • Oil & Gas Pipeline Law
  • Legal Blog
  • Contact

Home / What to Do in the Case of Unintentional Disclosure of Medical Records

1.4.2014

What to Do in the Case of Unintentional Disclosure of Medical Records

Posted In: Business Law   |   Posted by: Arenstein & Anderson Co., LPA

Our Medical Office Accidentally Provided a Patient List to Other Patients and the Public. What Should We Do?

When there is an unintentional disclosure of protected health information by a medical or dental practice, very specific and important steps must be followed under HIPAA and HITECH. Having experienced attorneys that have handled privacy breaches by medical and dental practices is imperative to complying with the law.

If the breach affected less than 500 individuals, then the action steps for the medical or dental practice (the “practice”) are somewhat less severe than they would be if the amount exceeded 500 individuals. In the case of a breach involving 500 or fewer individuals, the practice must timely notify everyone affected, along with the U.S. Secretary of Health and Human Services. If the breach affected more than 500 individuals, the practice would also have to notify the media.

More specifically, the practice must notify affected individuals after discovering a breach of unsecured protected health information via individual notice in written form by first class mail or email, but only if the affected individual has agreed to receive such notices electronically. If there is out of date (or insufficient) contact information for 10 or more individuals, the practice must provide a substitute notice for them by either posting the notice on its website home page or providing the notice in major print or broadcast media where the affected individuals likely reside. If the insufficient contact information affects fewer than 10 individuals, the practice may provide substitute notice by an alternative form in writing, by telephone, or other means. The practice should provide these individual notifications as quickly as possible but in no case later than 60 days following the discovery.

The content of the notice must include, to the extent possible, descriptions of: the breach itself; the types of information involved; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the practice is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as the practice’s contact information. For substitute notice provided via web posting or major print or broadcast media (if applicable), the notification must include a toll-free number for individuals to contact the practice to determine if their protected health information was involved in the breach. The content of this notice is extremely important. Having experienced attorneys that have assisted with such a notice and the steps involved in this process is advisable.

In addition to the affected individuals, the practice must also notify the U.S. Secretary of Health and Human Services. The practice can notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If the breach affected 500 or more individuals, the practice would have to notify the Secretary on the same time frame as individuals. However, if the breach affected fewer than 500 individuals, the practice may notify the Secretary on an annual basis.

The notice must be submitted electronically on the U.S. Health and Human Services website by completing all information required on the breach notification form posted there. If applicable, a separate form must be completed for every breach that has occurred during the calendar year. If the practice discovers more information to report after submitting the initial form, it should submit an additional form and check the box to indicate that it is an updated submission. If it is unclear how many individuals are affected by a breach when the form is filed, the practice should provide an estimate. As the unclear information becomes available, an additional breach report should be submitted as an addendum to the initial report.
With regard to tracking the practice’s required action steps, keep in mind that the practice has the burden of proof to demonstrate that all required notifications have been provided. Similarly, the practice must comply with several other provisions of the rules with respect to breach notification. For example, there should be in place written policies and procedures regarding breach notification; training employees on the policies and procedures; development and application of appropriate sanctions against employees who fail to comply with them; and other proactive steps.

It is also important to note that the law and requirements in this area are constantly in flux. Legal representation with experience in this area and with a working knowledge of the changes and additions to the breach notification requirements is essential.

Arenstein & Andersen Co., LPA, located in Dublin, Ohio, provides comprehensive business services to medical, dental, and veterinary practices. For businesses in the medical, dental, and veterinary fields we offer a unique emphasis on healthcare laws and compliance, including physician, dentist, and veterinarian employment contracts, assistance with insurance and billing issues, compliance with Stark and other anti-kickback laws, privacy and electronic records laws (including HIPAA and HITECH), Medicare and Medicaid compliance, day-to-day operations of practices, audits conducted by the Ohio Bureau of Workers’ Compensation, Medicaid, Medicare, and other State and Federal Agencies.

Posted In: Business Law

Tagged in: dental , electronic needs , HIPAA , hitech , medical , privacy , protected health information , unintentional disclosure

Interested in Setting up a consultation?

Give us a call at 614.602.6550
email at contact@aacolpa.com

Recent Blog Posts

  • Abusive Use of Eminent Domain to Build Ohio Pipelines (Part 4)
  • Abusive Use of Eminent Domain to Build Ohio Pipelines (Part 3)
  • Sole Custody vs Joint Custody vs Shared Parenting
  • Does Cheating Matter in a Divorce?
  • What is Temporary Total Disability Compensation

View All Blogs

Let's Talk. Set Up A Consultation

P 614.602.6550
E contact@aacolpa.com

Our primary office is located in Dublin, Ohio, and we have a satellite office in Tipp City, Ohio (just north of Dayton). With our convenient locations, we are able to efficiently represent individuals and businesses throughout Ohio, including Akron, Bexley, Cadiz, Chillicothe, Cincinnati, Cleveland, Columbus, Dayton, Delaware, Gahanna, Hilliard, Lewis Center, Lancaster, Lima, Mansfield, Marysville, Pickerington, Plain City, Powell, Springfield, St. Clairsville, Toledo, Troy, Westerville, Worthington, and Zanesville.

    E contact@aacolpa.com

    Dublin
    6740 Avery Muirfield Dr, Ste B
    Dublin, Ohio 43017
    P 614.602.6550
    Directions

    Tipp City
    104 West Main Street, Suite B
    Tipp City, Ohio 45371
    P 937.458.3855
    Directions

    • About The Firm
    • Legal Blog
    • Contact
    • Sitemap