December 3, 2024 
 
Wow, the year has flown!   We have some admin work to do as we prepare for the holidays, including, fessing up to those more innocuous potential HIPAA breaches committed over the year.  For potential breaches impacting fewer than 500 individuals, we have until March 1, 2026 to notify the Secretary of HHS, but, once the new year rolls around, who is thinking about the past year?  Let's get ahead of the obligation and get the data sorted now. 

Over the years HHS has simplified the reporting process and now there is a fairly easy to use portal - https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html. The biggest concern is not whether you can figure out how to navigate through the reporting process, the biggest concern is whether or not you have to report and what information should be reported.   

It is important we focus for a minute on the differentiation between a "breach" and a "disclosure".  A breach is an unauthorized or warranted disclosure. The devil is in the details when categorizing.  Oftentimes a situation that may occur that could have constituted a breach, can be mitigated to be categorized as a disclosure.  For instance, you transmit patient information to an unintended recipient.   Ok, what did you do after?  Did you not realize until much later and left it alone (breach)?  Or, did you contact the recipient immediately, obtain back the information, confirm it was not accessed or maintained (mitigated disclosure)?  Oftentimes it is the aftermath/mitigation that dictates the liability.   

The reality is that each and every healthcare provider has disclosures that may or may not be breaches over the course of the year. The disclosure process to the Secretary allows one form of checks and balances for HIPAA compliance.  Of course, on the opposite end are the complaints the Secretary may receive from a patient or other source where your practice may have effectuated a breach.   Disclosing potential breaches you may have effectuated along the way or on the annual reporting requirement is a LEGAL OBLIGATION.  Failing to disclose and having a complaint from a third party as the initiating factor to the government is automatic indicia of guilt - because clearly you already aren't following basic HIPAA protocol.    Now, just because you don't report something, doesn't necessarily mean you are guilty, if you did, in fact, follow required protocol to assess a disclosure and you have determined it was not a breach <- this would require an actual assessment process in real-time.  (More fulsome prior article on Breaches.)

As part of your day to day compliance and PROACTIVE as opposed to REACTIVE practice protection plan, if you are not already, let's develop a process for assessment and mitigation for HIPAA disclosures asap.   And, for those disclosures determined to be breaches, reminder, it is time to report. Failure to report, failure to properly maintain proper HIPAA compliance, may result in substantial fines. 

For assistance with any part of the HIPAA protection process, email me (Jennifer@kirschenbaumesq.com) for a time to discuss where your practice is currently and where you want to be to take a more proactive approach.    A clear breach (nightmare) scenario is data breach - which would likely impact more than 500 individuals and require contemporaneous reporting.... 


   
 
Have a question for Jennifer?  Email is best.  You can reach her at Jennifer@Kirschenbaumesq.com.