Son of a Breach

This hypothetical scenario certainly ain’t the mac daddy of breaches, more like a “Son of a Breach.” A Son of a Breach is – a breach no less.

Recently a practitioner transferred records to an off-site storage facility. The company in charge of the transport mistakenly left one of the boxes of records outside of the storage facility and drove off. The wind blew the box open and records spilled out. The security company at the storage facility notified the practitioner of the situation.

Staff members of the practice descended on the facility and with the help of the security guard gathered the strewn papers. They spent hours recovering scattered papers.

The box was clearly identified and inventoried properly so the staff knew exactly which records were compromised. Imagine how much time and stress properly labeling records and boxes saved. Organization and retentiveness paid off! Still, this situation sucked!

Let’s break it down….

Prior to the Final Omnibus Rule covered entities who experienced an unauthorized use or disclosure of information were required to determine the ‘potential for harm’ as the unit of measure for deciding what to do or how to respond to such an incident. This assessment was too subjective. HHS addressed this issue and attempted to provide a more objective guideline for helping covered entities and business associate better determine whether a breach was is a reportable breach.

In the new era (post Final Omnibus Rule) covered entities are now required to presume that any unauthorized use or disclosure of PHI is a reportable breach unless the Covered Entity can definitively state that there is a ‘low probability of compromise’ of their patients’ PHI based on a Risk Assessment of the breach.

To evaluate a breach a covered entity (or business associate) must answer the following:

To whom the PHI was impermissibly disclosed?

    Was the PHI actually accessed or viewed?

    What is the potential ability of the recipient to identify the subjects of the data?

Did the recipient take appropriate mitigating action or what did the receiver do with the information?

If after answering these questions we either do not know the answer or the answer is not such that we can say that the breach presents a ‘low probability of compromise’ then we have some additional work to do.

If less than 500 people affected

Make an entry in your HIPAA Breach Log

    Notify the affected persons by first class mail

    Notify Health and Human Services about the breach in writing by March 1st of the following year

If more than 500 people affected

Make an entry in your HIPAA Breach Log

    Notify the affected persons by first class mail

    Notify Health and Human Services about the breach within 60 days of the time the breach was discovered

    Notify the major television and print media outlets for your area of the breach

It can be this simple unless you have people that you cannot locate then there are alternative notification requirements that add a few additional steps and is a little messier situation to have to deal with.

I heard a record skip as I mentioned notifying the media (imagine your own sound effect here). Who the heck wants to tell the local news that you experienced a large breach? Nobody wants to be on the news for being the victim of a theft, having an accident, or making a mistake with his or her patients’ PHI. However, this is a requirement for major breaches that affect more than 500 persons.

This law is why we see and hear reports about stolen laptops containing unencrypted PHI and other HIPAA breaches on the news; next time you hear one these stories have pity on the poor soul who is having to air their dirty laundry in effort to comply with the law, which was designed to help notify patients when their information is compromised.

In the end the practitioner completed their Risk Assessment and determined they could not account for every slip of paper from every file that was scattered in the wind.. As a result they notified the affected patients that their information was potentially compromised.

The covered entity is required to inform the affected persons (only) about the breach, not every patient of the practice, so there is a small bit of relief. They do have to tell the affected persons what happened, how it happened, what PHI was involved, and what the covered entity did in the aftermath to minimize the potential impact and make it right.

While this situation certainly sucked it could have been exponentially worse. They might not have known which patients were affected due to poor inventory and labeling. They might have had a larger number of patients affected. They might not have discovered the breach and had their patient records collected by identity thieves (stolen identifying information is worth a lot on the black market, don’t kid yourself here).

Anytime an incident happens it is helpful to review the situation and learn from it. No matter if it is a HIPAA breach or a medical emergency encountered by a patient or their loved one there is always something to be learned and passed on for the benefit of those around you. Everyone involved in this situation learned something. I know it did. How about you?

This practitioner’s unfortunate mishap is shared for your benefit, so that you may have an idea what to do if you find yourself in a similar situation. Breaches happen and it is crucial that covered entities respond appropriately. Failure to respond to a breach can open you and your dental practice up to civil and criminal liability.

The consequences for failing to adequately respond to a breach can cause even a small practice to face fines of up to $1.5 million dollars, exclusion from participation with Medicare, Medicaid/ CHIP and other federally funded health programs. When these types of sanctions are administered you can rest assured the National Practitioner Data Bank and your state dental board will catch wind of the matter. This would likely trigger a visit from the ghost of dentist future. Son of a Breach!

Want to Avoid Breaches and get a Handle On HIPAA?







Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore!