As of February 22, Comply with HIPAA Breach Notification Rules or Face Sanctions

The HITECH (“Health Information Technology for Economic and Clinical Health”) Act enacted last February imposed obligations on health care providers to notify patients if their protected health information was used or disclosed in a manner not permitted by HIPAA’s Privacy Rule. The U.S. Department of Health and Human Services published regulations which took effect in September 2009 specifying when and how providers have to notify patients of HIPAA breaches as well as recordkeeping requirements regarding reported HIPAA violations. When it published these “breach notification” regulations, HHS stated it would delay imposing sanctions for failure to comply with the regulations until February 22, 2010. So now is the time to familiarize yourself with the HITECH Act’s breach notification rules to avoid the prospect of hefty sanctions, ranging from a minimum of $10,000 up to $50,000 per violation, for willful neglect of the regulatory requirements.

Basically the breach notification rules require a health care provider to notify a patient if his/her protected health information (PHI) has been acquired, accessed, used or disclosed in a manner not permitted under HIPAA’s Privacy Rule which “poses a significant risk of financial, reputational, or other harm to the individual.” The form and manner of notification required under the regulations vary depending on whether a breach involves the PHI of fewer or more than 500 patients. There are certain good faith exceptions to the requirement to notify patients of PHI breaches.

The breach notification rules also require reporting of PHI breaches to HHS under certain circumstances, and impose an obligation on health care providers to document alleged HIPAA violations as well as the provider’s determination as to whether a breach occurred for purposes of the breach notification rules.

The key to compliance with the breach notification rules is establishing a procedure for receiving information about alleged HIPAA violations, evaluating whether a purported violation constitutes a breach for purposes of the notification rules, and documenting whether and how notification was provided. All documentation related to this procedure should be maintained in one location, preferably by one individual, in your practice. With February 22 just days away, it’s time to understand the HITECH breach notification rules and establish a procedure for complying with them.