Did your chiropractic office experience a breach of protected health information (PHI) in 2021 that affected less than 500 individuals? If so, you now have less than 30 days to act before the HIPAA Breach Notification deadline on March 1, 2022.
HIPAA Breach Notification Deadline Basics
The HIPAA Breach Notification Rule outlines specific actions that chiropractors and other healthcare professionals must take for all breaches and adds additional requirements based on the number of people impacted.
If a breach in the 2021 calendar year affected less than 500 individuals (small-scale): Your office must notify the Secretary of Health and Human Services within 60 days of the end of the calendar year in which the breach occurred. Even a breach that includes only one person’s PHI must be included. The deadline to report any 2021 small-scale breach is March 1, 2022.
If multiple small-scale breaches occurred within the 2021 calendar year: Your office must report all breaches within 60 days of the end of the calendar year in which the breach occurred.
If a breach affected 500 or more patients (major breach): You must report major breaches to the Secretary of Health and Human Services within 60 days of discovery, and news media must be notified.
Regardless of the size of the breach, all affected parties must receive breach notification letters within 60 days of the discovery of the breach. The “60 days within the end of the year” guidelines do not apply to any patient whose PHI was breached.
If you cannot notify 10 or more individuals by mail, you must post the breach notification on your organization’s website for at least 90 days. Failure to do so constitutes a HIPAA violation and exposes your organization to substantial fines and penalties.
HIPAA Breach Notification Deadline Triggers
Cybercrimes have dominated the news in the past year, but hacking and ransomware attacks are just one example of incidents that could lead to a breach. Don’t forget the following reasons to report a breach:
- Unauthorized access or disclosure of PHI – Examples include employees or unauthorized individuals accessing or disclosing PHI. This can occur through paper/films, EMR/EHR, or email.
- Theft or loss of an unencrypted device with access to PHI – A breach occurs if an unencrypted electronic device containing PHI is lost or stolen. These devices include desktop computers, laptops, tablets, mobile phones, or other portable electronic devices with the potential to access PHI.
- Improper disposal of medical records – Disposal of paper or electronic documents in a way that leaves them susceptible to unauthorized access constitutes a breach. Paper records must be shredded, burned, pulped, or pulverized, rendering PHI unreadable and unable to be reconstructed. Electronic devices must be purged, cleared, or destroyed.
The Hidden Value of HIPAA Compliance
Believe it or not, the government understands that breaches will happen. To date, there has never been a fine issued or action taken by the HHS Office for Civil Rights for a PHI breach alone.
The penalties are triggered when offices fail to fully address the requirements of HIPAA regulations, ranging from breach notification, conducting security risk assessments, complying with the Privacy and Security Rules, and following proper procedures with business associates.
Simply following the rules of HIPAA is much like buying a high-performance sports car and using the lowest grade fuel available. You’ll never see it operate at its peak potential.
When forward-thinking chiropractic practices achieve HIPAA compliance, they can leverage that into a foundation upon which to build a “Culture of Compliance.” This mindset opens the door to creating added value by improving organizational efficiency, setting clear expectations for team members, instilling confidence in your clients, and ultimately improving your bottom line.
If you need guidance or have questions, the experts at Compliancy Group – ACA’s preferred HIPAA solution – are happy to assist you. They have volumes of information about HIPAA requirements on their website, as well as personal guidance and support from our team of HIPAA professionals. In more than 16 years of serving chiropractors and other healthcare professionals, no client has ever failed a HIPAA audit or received a fine.