How Breaches Can Impact Your Practice


Health care data breaches have become a common scenario for hospitals, health systems, and individual care providers. 


Technology is only going to continue to evolve, and we can not go on with the mentality that a breach will not happen to our practice; we need to work with the mentality that it is just a matter of time before an entity encounters a breach.



Responsibilities of Covered Entity

After a breach has been discovered, a covered entity must notify each potentially affected individual within 60 days (30 days for Colorado).  See New Colorado Notification post.  If there are less than 500 individuals affected, the entity must notify HHS, no later than the end of the calendar year.  If there are 500 or more individuals affected, the entity must notify HHS immediately, and notify all prominent media outlets.  The covered entity also bares the responsibility to investigate the breach, mitigate harm, and prevent further breaches from occurring.


Breach Recovery

It can take an entity years to regain footing after a breach, depending on the type of breach, the number of affected individuals, and type of technology at the facility.


A 2015 study from Software Advice showed that 45% of patients are moderately or very concerned about a security breach, and 54% of patients are moderately or very likely to change a doctor as a result of a data breach.


As you can imagine, health care data breaches have multiple financial and reputational impacts on the entity.  The entity may have to pay fines, and must spend resources on the investigation and mitigation of the breach.  The entity also must then deal with the consequences of loosing patients, and regain trust of patients by proving to their patients they are capable to protecting their information.  The entity’s breach is also placed on the “Wall of Shame” by HHS, for all the public to see.


A breach can affect every aspect of your practice, including billing problems and refunds from payers, poor compliance could affect your defense against medical liability claims, and insurance auditors and successful quality reviews of patient records will depend on practice efforts to protect the integrity of PHI.



HIPAA compliance needs to be tailored to the complexity and size of your practice!  The use of shortcuts can increase the risk of problems and penalties.  Using generic materials from the internet that have never been customized for the practice, and performing training years ago but not again are common failures among practices.



If you find this information to be useful, please subscribe to our blog here.