The medical field has come a long way, both in its treatments and its standards. Modern caregivers navigate a deep sea of rules and regulations designed to protect patients every day. HIPAA is one of those rules. The Health Insurance Portability and Accountability Act was passed to protect sensitive information provided to care providers. Some information must be sacred, and medical information is just that.
Though HIPAA’s mission is simple, making it happen can be relatively complex. It is important to read through each part of HIPAA in order to fully understand the ways it can protect your patients’ information. We’re talking about both physical and electronic forms of information, though you’ll commonly deal with Electronic Protected Health Information (EPHI), which makes providing healthcare convenient but comes with certain vulnerabilities. HIPAA is here to make sure that your patients’ EPHI stays secure. It has several rules, the most important of which are the following:
- The Security Rule
- The Breach Notification Rule
- The Privacy Rule
How to Maintain Compliance with the Breach Notification Rule
In our last blog, we went over the Security Rule and all the ways it can defend your patients’ information (and your practice as a result). In today’s blog, we want to look at the Breach Notification Rule. This rule is all about what happens if your security systems fail. When you have a breach, you need to disclose it to the HHS Office for Civil Rights (OCR). Here is the full list of required action items:
- File a report with OCR. As we said, all Protected Health Information (PHI) breaches should be disclosed to the OCR. All reports have to be filed through the OCR’s portal.
- Move quickly when more than 500 people are affected. Though all breaches must be reported, a breach impacting more than 500 people should be reported within 60 days and generally as quickly as possible. Otherwise, you can be penalized for failing to report the breach quickly enough.
- Notify the patients who are affected by the breach. Unless patients have agreed to receive emails from you, notify all affected patients via first class mail. If more than 10 patients don’t have contact info, post an online notice for 90 days that includes a toll-free number people can call for more information. Again, it is important to take this action as quickly as possible (within 60 days). You will want to ensure that you provide information about what action patients can take to protect themselves.
- Report big breaches via the media. If you have a breach affecting more than 500 people, you will need to create a press release to be distributed in that area by the media. As with other reports, you have 60 days.
- If fewer than 500 people are affected, report breaches annually. Let the OCR know about any breaches affecting fewer than 500 people once a year.
- Maintain breach notification records. You’ll want to maintain records of every breach notification you make, including media, OCR, and individual.
We Are Here to Support Your Practice
Keeping your medical practice running smoothly takes a lot of work. Let us help you with biohazard waste disposal in New Mexico and beyond!