RE: Patient Identification Theft - Records Stolen -- Need suggestions

[Guest guest]

- Here are the updated " breach " regulations.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/i

ndex.html

Following the HITECH updates to HIPAA, enforcement has taken on a new

mandate - and the OCR has already noted several cases and the fines. If you

would like further info on some actual incidents please give me a call.

J. Beckley, MS, MBA, CHC

Beckley & Associates LLC

<http://nancybeckley.com> http://nancybeckley.com

<http://rehabcomplianceblog.com> http://rehabcomplianceblog.com

Direct:

Breach Notification Requirements

Following a breach of unsecured protected health information covered

entities must provide notification of the breach to affected individuals,

the Secretary, and, in certain circumstances, to the media. In addition,

business associates must notify covered entities that a breach has occurred.

* Individual Notice

Covered entities must notify affected individuals following the discovery of

a breach of unsecured protected health information. Covered entities must

provide this individual notice in written form by first-class mail, or

alternatively, by e-mail if the affected individual has agreed to receive

such notices electronically. If the covered entity has insufficient or

out-of-date contact information for 10 or more individuals, the covered

entity must provide substitute individual notice by either posting the

notice on the home page of its web site or by providing the notice in major

print or broadcast media where the affected individuals likely reside. If

the covered entity has insufficient or out-of-date contact information for

fewer than 10 individuals, the covered entity may provide substitute notice

by an alternative form of written, telephone, or other means.

These individual notifications must be provided without unreasonable delay

and in no case later than 60 days following the discovery of a breach and

must include, to the extent possible, a description of the breach, a

description of the types of information that were involved in the breach,

the steps affected individuals should take to protect themselves from

potential harm, a brief description of what the covered entity is doing to

investigate the breach, mitigate the harm, and prevent further breaches, as

well as contact information for the covered entity. Additionally, for

substitute notice provided via web posting or major print or broadcast

media, the notification must include a toll-free number for individuals to

contact the covered entity to determine if their protected health

information was involved in the breach.

* Media Notice

Covered entities that experience a breach affecting more than 500 residents

of a State or jurisdiction are, in addition to notifying the affected

individuals, required to provide notice to prominent media outlets serving

the State or jurisdiction. Covered entities will likely provide this

notification in the form of a press release to appropriate media outlets

serving the affected area. Like individual notice, this media notification

must be provided without unreasonable delay and in no case later than 60

days following the discovery of a breach and must include the same

information required for the individual notice.

* Notice to the Secretary

In addition to notifying affected individuals and the media (where

appropriate), covered entities must notify the Secretary of breaches of

unsecured protected health information. Covered entities will notify the

Secretary by visiting the HHS web site and filling out and electronically

submitting a breach report form. If a breach affects 500 or more

individuals, covered entities must notify the Secretary without unreasonable

delay and in no case later than 60 days following a breach. If, however, a

breach affects fewer than 500 individuals, the covered entity may notify the

Secretary of such breaches on an annual basis. Reports of breaches

affecting fewer than 500 individuals are due to the Secretary no later than

60 days after the end of the calendar year in which the breaches occurred.

* Notification by a Business Associate

If a breach of unsecured protected health information occurs at or by a

business associate, the business associate must notify the covered entity

following the discovery of the breach. A business associate must provide

notice to the covered entity without unreasonable delay and no later than 60

days from the discovery of the breach. To the extent possible, the business

associate should provide the covered entity with the identification of each

individual affected by the breach as well as any information required to be

provided by the covered entity in its notification to affected individuals.

Breaches Affecting Fewer than 500 Individuals

For breaches that affect fewer than 500 individuals, a covered entity must

provide the Secretary with notice annually. All notifications of breaches

occurring in a calendar year must be submitted within 60 days of the end of

the calendar year in which the breaches occurred. Notifications of all

breaches occurring after the effective date in 2009 must be submitted by

March 1, 2010. This notice must be submitted electronically by following

the link below and completing all information required on the breach

notification form. A separate form must be completed for every breach that

has occurred during the calendar year.

If a covered entity that has submitted a breach notification form to the

Secretary discovers additional information to report, the covered entity may

submit an additional form, checking the appropriate box to signal that it is

an updated submission.

New Phone:

J. Beckley, MS, MBA, CHC

Beckley & Associates LLC

<http://nancybeckley.com> http://nancybeckley.com

<http://rehabcomplianceblog.com> http://rehabcomplianceblog.com

Direct:

From: PTManager [mailto:PTManager ] On Behalf

Of Kovacek

Sent: Wednesday, March 30, 2011 3:09 PM

To: PTManager

Subject: Patient Identification Theft - Records Stolen -- Need

suggestions

PTManagers

I am hoping someone on this list can help with a situation that I have no

experience with.

A PT colleague of mine had his car broken into and a small number of patient

records were stolen. Patient records were typical notes etc but were full

charts with patient specific information that would be valuable to an

identity thief.

The therapist has identified all the missing charts, met with each patient

to explain the situation and provided each patient with an identify theft

protection plan for at least the next 12 months. Fortunately, because he got

to the patients immediately, there is not a public relations issue with the

patients.

If anyone else has [unfortunately] had any experience with this sort of

event, are there other actions that the therapist should take to

protect himself, his company and his patients?

Thanks in advance for your ideas and suggestions.

Kovacek, PT, DPT, MSA

PKovacek@... <mailto:PKovacek%40PTManager.com>

Cell

Personal Fax

www.PTManager.com