Another privacy rule that's set to kick in next month will make life even tougher for private practices that suffer a HIPAA slip up
The current state of play: Under the new HIPAA regulations that went into effect earlier this year, providers have 60 days to investigate all suspected breaches of protected patient information and notify patients when appropriate. They also must file a detailed report about the breach with the HHS Office for Civil Rights (OCR).
Bigger breaches are everyone's business. When a breach affects 500 or more patients the practice must also notify the media, inform the OCR by the 60 day deadline and the OCR will post information about the breach on its website including the number of people affected, what caused the breach (usually theft of computers, portable electronic devices or paper records according to the list) and the provider's name.
A private practice can keep its name off the OCR's list. For now. Due to a long-standing rule, a private practice can opt to remain anonymous when the OCR posts the details of its 500+ patient breach. However, in a notice published April 13, the OCR announced it will eliminate this option on May 23, 2010 "unless OCR receives comments that require alterations to this notice."
The OCR believes allowing certain providers to remain anonymous clashes with the intent of the new HIPAA rule. You can view the notice and leave a comment on the regulations.gov website.
Believe it or not, providers who experience a breach, go through the hassle and embarrassment of reporting the incident, endure the unwanted publicity and the OCR investigation that follows are the lucky ones. It means they're aware of the rules. Providers who don't report because they aren't aware they've suffered a breach or fail to jump through all of the other new HIPAA hoops are just one patient complaint away from the million dollar fines that are also a part of the new HIPAA regulations.
Make sure your HIPAA policy is water tight. Government guidance has been sparse, but that hasn't stopped HHS from sending out a corps of new investigators. Don't wait until an investigator finds a flaw in your policy. Find out how to Plug the Gaps in your HIPAA Privacy & Security Policy on Tues. May 5, 1:00 - 2:30 p.m., E.T. Call 1-866-620-5939 to learn more.