Question
Welcome to a Bite-Size HIPAA® Q&A article where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"We recently had an employee make a mistake and send some PHI to the wrong patients. It only affected about ten patient records, and we immediately contacted them. They were all understanding and are not looking to do anything about it. We corrected our procedure and did a formal sanction of the employee (he felt horrible and is much more careful now). My question is, what else do we need to do? Some people in the office think we are done, and others say that we should report this to HHS as a 'breach'. That seems a little drastic to me since it was only ten patients, but we want to make sure we are doing everything right."
The HIPAA Law
Well, first off, thank you for your question. It sounds like you are doing an outstanding job with this. HIPAA violations can be a little scary but you're following all the right procedures, so good job. Let's take a look and see what the HIPAA Law has to say about reporting small breaches. The first thing to know about the HIPAA Breach Notification Rule is that affected patients must be notified of all breaches within sixty days. As for notifying HHS, there are different rules depending on the size of the breach. For breaches of more than 500 records, you must notify HHS within sixty days as well. For smaller breaches of less than 500 records, you don't need to notify them until the end of the calendar year. Based on your question, it sounds like you have already satisfied the patient notification so we just need to look at the HHS reporting. Since there were fewer than 500 records affected any reporting would not be due until after the calendar year. HHS does this so that providers can keep track of all of their minor breaches throughout the year and then just report them all at once. Now, notice that there is not a minimum number of records required before reporting is necessary. All breaches, even if only one patient is affected, need to be reported eventually.
Now, the one potential exception is if the incident doesn't actually fall under the definition of a breach. Generally, any unauthorized access, use or disclosure of unsecured PHI is presumed to be a breach but the definition has some exceptions to it that require a more detailed analysis. However, when in doubt, it is safer to report the breach because a failure to report may constitute willful neglect. Which can lead to enhanced penalties.
Summary
So, to summarize - even though this breach only affected ten patients, you still need to report it to HHS within sixty days of the end of the calendar year in which it occurred. As always, you need to consider whether your state has any specific privacy laws that may be more strict than HIPAA. Please consult an attorney familiar with your local laws and regulations. Thanks for the question, keep up the good work.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send them my way. My email address is todd(at)bitesizehipaa(dot)com. I can't promise I'll be able to get to every question submitted - but I'll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&A's.