Life's a Breach and then You're Fined

Article

The easiest way to avoid any kind of HIPAA problems is to make sure that your patients’ personal health information (PHI) is secure – by definition, secure PHI cannot be breached. Best to get prepared now because as HIPAA informs, the penalties they-are-a-comin.

Gerry Hinkley, a lawyer from San Francisco who specializes in healthcare regulatory matters, wants to know if you are ready for the new HIPAA privacy and security mandates. If you aren’t, then it’s time to do your homework. Just as Bob Dylan told us that the times-they-are-a-changin, HIPAA has taken it a step further to inform you that the penalties they-are-a-comin. And no one likes penalties, especially financial penalties. If that wasn’t obvious then it became crystal clear when Hinkley’s session became the can’t miss session of the day, as physicians packed it in to the point where it was standing room only.

Although Hinkley touched on a number of subjects, the main focus of this discussion was personal health information and what can happen to you if your patients’ records are breached. It may seem like a simple cut-and-dry explanation, but it’s anything but. There are multiple tiers of violations, new regulations, and harsher penalties. After all, there has to be a distinction between an employee mistakenly accessing something that they shouldn’t and then making sure to fix the problem and hospital employees who maliciously steal records and sell them, such as in the case of the Octomom in California. The easiest way to avoid any kind of HIPAA problems is to make sure that your patients’ personal health information (PHI) is secure — by definition, secure PHI cannot be breached.

What is a breach?

But before going any further, what exactly constitutes a “breach”? Well, the HIPAA definition is as follows: unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI (ie, poses a significant risk of financial, reputational, or other harm to the individual). Taking it a step further, “access” is defined as the ability to read, write, modify, or communicate data or otherwise use any system resource. Got it? Ok, moving on then…

What do you need to do in the event of a breach?

Even the most careful physician out there can run into a breaching problem. That is why it’s important to know exactly what to do should you ever encounter a situation where a patient’s PHI has been breached. For starters, you have 60 days to report the breach to the patient. If the breach results in imminent danger, a telephone call must be made in addition to the necessary paperwork. If the breach affects 500 or more people in a state or region (which happens more frequently than you would think), you must promptly disclose the breach to prominent media outlets, as well as the Secretary of Health and Human Services (HHS). In the event of any breach, the notification must include the following information: what happened, the date of discovery, the date of the breach, steps that the affected individual should take for protection, and contact information.

What penalties am I susceptible to in the event of a breach?

These are the penalties imposed, courtesy of Mr. Hinkley’s slide presentation:

  • Tier A (if offender did not know, and by exercising reasonable diligence would not have known, that he or she violated the law): $100 for each violation, up to $25,000 for identical violations
  • Tier B (if the violation was due to reasonable cause and not willful neglect): $1,000 for each violation, up to $100,000 for identical violations
  • Tier C (if the violation was due to willful neglect but was corrected): $10,000 for each violation, up to $250,000 per year
  • Tier D (if the violation was due to willful neglect and was not corrected): $50,000, up to $1,500,000 per year

As I mentioned before, the easiest way to avoid being in a situation where a security breach may occur is to secure your patients’ PHI. If you have encryption settings or passwords, don’t make it easy for others to crack the system. (If your password is “password,” you’re likely going to be held accountable for not properly securing data.)

In the end, there’s always going to be some degree of risk involved (especially considering that these HIPAA regulations are ripe for whistleblowers), but if you take the necessary steps and precautions to do everything in your power to make sure your patients’ information is held secure, you should not have to worry.

Related Videos
Kelley Branch, MD, MSc | Credit: University of Washington Medicine
Sejal Shah, MD | Credit: Brigham and Women's
Stephanie Nahas, MD, MSEd | Credit: Jefferson Health
Kelley Branch, MD, MS | Credit: University of Washington Medicine
Related Content
Nisa Maruthur, MD, MHS | Credit: American Heart Association

Isocaloric Time-Restricted Eating May Not Induce Weight Loss in Patients with Obesity

April 21st 2024
Article
Javed Butler, MD | Credit: BAIM Institute

Don't Miss a Beat: EMPACT-MI at ACC.24, with Javed Butler, MD

April 6th 2024
Podcast
Dermatology Skills for Internal Medicine Physicians with Roy Colven, MD

Dermatology Skills for Internal Medicine Physicians with Roy Colven, MD

April 20th 2024
Article
Default thumbnail for Diabetes Dialogue, featuring podcast logo and headshots of hosts.

Diabetes Dialogue: ATTD 2024 Preview

February 27th 2024
Podcast
Dual-Tasking: Spotlighting the Impacts on Individuals with Dementia

Dual-Tasking: Spotlighting the Impacts on Individuals with Dementia

April 20th 2024
Article
Hasmeena Kathuria, MD | Credit: Boston Medical Center

Approaches to Promote Health Behavior Change and Smoking Cessation, with Hasmeena Kathuria, MD

April 20th 2024
Article
© 2024 MJH Life Sciences

All rights reserved.