Is The Breach Purposeful or Inadvertent?
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, deals with unauthorized disclosures of covered information. It is a specific regulation requiring any individual or organization covered by HIPAA rules to report such breaches, regardless of why they occur.
These rules of reporting a HIPAA breach apply to all covered entities, vendors of public health records, and their third party providers. This rule has also recently been interpreted to include business partners who might not otherwise covered by HIPAA regulations.
In light of the serious penalties that are provided for under the law, any possible breach must be viewed as something to be avoided. It is also important for all individuals and entities involved with any type of personal health records, printed or digital, to understand they must report such breaches. The reporting of a HIPAA breach is required even if it is suspected and not definitive.
It is also important to understand that the penalties for such unauthorized disclosure must be made even if it was by accident and there was no ill purpose intended. For example, if patient records are accidently thrown out without proper shredding, this situation must be reported. The Federal Trade Commission is in charge of implementing and enforcing HIPAA regulations.
The Importance of Proactive HIPAA Compliance
When and if there is a HIPAA breach, the investigation following the reporting of such a problem will look closely at the rules and procedures in place at the organization where the breach occurs. If it is determined those policies are too lax or fail to provide proper safeguards, the penalties are more severe. In fact, in the most severe cases, fines can range to $1.5 million dollars and there are provisions for lodging criminal charges.
Taking proactive steps to prevent even accidental HIPAA breaches includes proper destruction of all paper and digital patient records when no longer used or nee