Managing medical records is one of the most challenging parts of maintaining any practice, from extensive treatment logs to patient history. Confidential information is the key to providing first-class services to your patients. However, according to The Health Insurance Portability and Accountability Act of 1996, breaches of privacy on someone’s medical information require that you notify the patient in question of the incident.
So what are the breach notification rule requirements from HIPAA specifically? Read on to learn how the rules work. They mostly depend on the circumstances and extent to which the breached information impacts the patient.
And if you need experts to help you manage your cash flow and revenue cycles for a compliant practice, including navigating HIPAA in medical billing, call PracticeForces.
What Is a Medical Information Breach?
HIPAA defines a medical information breach as any situation where an unauthorized user gains access to protected, unsecured paper or electronic medical records. The risk associated with the breach defines its severity and dictates the procedure.
For example, HIPAA’s risk assessment for a breach includes the following:
- The type, nature, and extent of protected health information involved in the breach
- The unauthorized individual who obtained the information
- Whether the unauthorized individual fully accessed or viewed the information
- The efficacy of risk mitigation responses from medical professionals involved
Breach Notification Rule Requirements
Just what are the breach notification rule requirements, though?
Notify Patient
Depending on the risk assessment, medical professionals must start by notifying impacted individuals. This must happen no more than 60 days after the discovery of the breach.
Send Letter
Covered entities must send breach notification letters through first-class mail. These details might include an implicated department of unsecured protected health information or the extent to which the risk compromised records.
Notify Department of Health and Human Services
Next, you need to notify the Department of Health and Human Services. If the breach impacted over 500 people, this notification needs to occur no more than 60 days after discovery. Smaller cases may occur within 60 days of the end of the same calendar year.
Notify Media
Did the breach involve over 500 individuals? Covered entities must notify the media in the patients’ states to increase awareness and allow more patients to take action. Failing to notify the media may result in legal penalties.
Update Webpage
Finally, the impacted organization must post a substitute breach notice that links to the homepage. It should remain on the website for 90 days.
Improve Practice Billing and Workflow With PracticeForces
HIPAA is just one of the rules in place to ensure that practices service their patients well. Other potential areas to refine might involve streamlining the basic points of medical billing or outsourcing your practice’s cash flow management. Why not contact PracticeForces to help?
With comprehensive services for medical practices of any kind, our team can help you maximize your profits and streamline your operations.
What are the breach notification rule requirements for less than 500 individuals? Find out from PracticeForces at (727) 202-5429. And remember to ask about billing and workflow management ideas that could aid your practice!