n
• Examine the unauthorized person who used the PHI or to whom the disclosure was made. Was it an employee or a third party? Is the person trustworthy? Is the person/ entity required to follow HIPAA? • Determine if the PHI was actually acquired/viewed. Was the information encrypted? Was the security seal broken? • Evaluate the type and amount of information that was accessed, used, or disclosed and the nature and the extent of the PHI. Is it sensitive information, like social security numbers? What type of information was disclosed and used? • Establish the extent to which the risk to the PHI has been mitigated. Were there corrective steps taken to stop future/further disclosures? Was there something that could have been done to mitigate the improper disclosure?
Notifying Patients of a Breach The final component of what should—at minimum—be part of your breach policies and procedures is how to notify the patients effected by the breach. Notification to the affected individuals must be done without delay and no later than 60 days after discovery of the breach. Notifications should be written in a plain language and mailed to the individuals address and should include the following information: • a brief description of the breach, including a description of the types of PHI involved • a brief description of any steps that you are taking to mitigate the potential harmful effects of the breach • an explanation of any steps that individual can take to protect them from potential harm resulting from the breach • contact information for individuals to obtain additional information about the breach. Additionally, if more than 500 individuals were affected by the breach,
you should notify the Secretary of Health and Human Services (HHS), as well as prominent media outlets, when you notify the affected individuals. A log of all breaches should be maintained and submitted to the Secretary of HHS no later than 60 days after the end of each calendar year. Also consider what steps you can take to mitigate the possible damage of a breach, what sanctions can result from allowing a breach to occur, what training should be done to educate employees about the breach policies, and more.
The Omnibus Rule granted patients additional rights, protection, and control in how their PHI can be used, disclosed, or accessed. Notice of Privacy Practices (NPP) The Omnibus Rule granted patients additional rights, protection, and control in how their PHI can be used, disclosed, or accessed. For example, the sale of PHI for any reason or purpose is prohibited unless the patient provides direct authorization. Patients also have the right to request a copy of their PHI in any form they choose, and you must provide a copy within 30 days. Your NPP must be updated to reflect these changes and must be made available to all patients. According to the final rule, NPPs must include:
Compliance Corner
• information on your obligation to notify patients when a breach of their PHI occurs • a statement indicating the patient’s right to request that a health plan not be informed of treatment that is paid for in full by the patient and that you must comply with this request • a statement indicating that authorization is required for uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI • a statement indicating that if you maintain psychotherapy notes, you must receive authorization for most uses and disclosures of the psychotherapy notes • a statement providing patients with the right to opt out of receiving communications in regards to fundraising activities • a statement noting that other uses and disclosures not described in the NPP will only be made with authorization from the patient • a statement noting that a health plan is prohibited from disclosing genetic information for underwriting purposes. Not all of these will apply to every practice, so be sure to examine your business practices carefully and remove any items that don’t apply to you. If you updated your NPP, be sure your policies and procedures are up-todate as well. For example, your current policy that outlines a patient’s rights to authorize/restrict disclosures of his or her PHI will have to be updated to show that you must comply with the patient’s request not to disclose his or her PHI to the patient’s health plan if the service is paid for out of pocket and in full. a Devon Bernard is assistant director of coding reimbursement, programming, and education for AOPA. Reach him at dbernard@ AOPAnet.org.
JANUARY 2014 O&P Almanac
29