What to Do in the Case of Unintentional Disclosure of Medical Records
Posted In: Business Law   | Posted by: Arenstein & Anderson Co., LPA
Our Medical Office Accidentally Provided a Patient List to Other Patients and the Public. What Should We Do?
When there is an unintentional disclosure of protected health information by a medical or dental practice, very specific and important steps must be followed under HIPAA and HITECH. Having experienced attorneys that have handled privacy breaches by medical and dental practices is imperative to complying with the law.
If the breach affected less than 500 individuals, then the action steps for the medical or dental practice (the “practice”) are somewhat less severe than they would be if the amount exceeded 500 individuals. In the case of a breach involving 500 or fewer individuals, the practice must timely notify everyone affected, along with the U.S. Secretary of Health and Human Services. If the breach affected more than 500 individuals, the practice would also have to notify the media.
More specifically, the practice must notify affected individuals after discovering a breach of unsecured protected health information via individual notice in written form by first class mail or email, but only if the affected individual has agreed to receive such notices electronically. If there is out of date (or insufficient) contact information for 10 or more individuals, the practice must provide a substitute notice for them by either posting the notice on its website home page or providing the notice in major print or broadcast media where the affected individuals likely reside. If the insufficient contact information affects fewer than 10 individuals, the practice may provide substitute notice by an alternative form in writing, by telephone, or other means. The practice should provide these individual notifications as quickly as possible but in no case later than 60 days following the discovery.
The content of the notice must include, to the extent possible, descriptions of: the breach itself; the types of information involved; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the practice is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as the practice’s contact information. For substitute notice provided via web posting or major print or broadcast media (if applicable), the notification must include a toll-free number for individuals to contact the practice to determine if their protected health information was involved in the breach. The content of this notice is extremely important. Having experienced attorneys that have assisted with such a notice and the steps involved in this process is advisable.
In addition to the affected individuals, the practice must also notify the U.S. Secretary of Health and Human Services. The practice can notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If the breach affected 500 or more individuals, the practice would have to notify the Secretary on the same time frame as individuals. However, if the breach affected fewer than 500 individuals, the practice may notify the Secretary on an annual basis.
The notice must be submitted electronically on the U.S. Health and Human Services website by completing all information required on the breach notification form posted there. If applicable, a separate form must be completed for every breach that has occurred during the calendar year. If the practice discovers more information to report after submitting the initial form, it should submit an additional form and check the box to indicate that it is an updated submission. If it is unclear how many individuals are affected by a breach when the form is filed, the practice should provide an estimate. As the unclear information becomes available, an additional breach report should be submitted as an addendum to the initial report.
With regard to tracking the practice’s required action steps, keep in mind that the practice has the burden of proof to demonstrate that all required notifications have been provided. Similarly, the practice must comply with several other provisions of the rules with respect to breach notification. For example, there should be in place written policies and procedures regarding breach notification; training employees on the policies and procedures; development and application of appropriate sanctions against employees who fail to comply with them; and other proactive steps.
It is also important to note that the law and requirements in this area are constantly in flux. Legal representation with experience in this area and with a working knowledge of the changes and additions to the breach notification requirements is essential.
Arenstein & Andersen Co., LPA, located in Dublin, Ohio, provides comprehensive business services to medical, dental, and veterinary practices. For businesses in the medical, dental, and veterinary fields we offer a unique emphasis on healthcare laws and compliance, including physician, dentist, and veterinarian employment contracts, assistance with insurance and billing issues, compliance with Stark and other anti-kickback laws, privacy and electronic records laws (including HIPAA and HITECH), Medicare and Medicaid compliance, day-to-day operations of practices, audits conducted by the Ohio Bureau of Workers’ Compensation, Medicaid, Medicare, and other State and Federal Agencies.