My office was broken into last night. I use electronic health records, but we do store some protected health information for my patients in paper files. These files are not secured, so the burglars did have access to them. It did not appear that the files were touched as the burglars were looking for cash. What responsibilities to I have to my patients in a situation like this? Do I need to contact them and advise them that their PHI could have been compromised?
Regardless of whether or not you think that there was a breach, HIPAA mandates that you do a Breach Risk Assessment and document the results including police reports of the incident.
Depending on the results of that risk assessment, you would then take whatever is considered the appropriate steps. To be perfectly honest, even if it looks like they did not open the file cabinets, you do NOT have definitive proof (unless you have fingerprinting done on the cabinets or a video tape showing that they did not enter that area) that the burglars did not view PHI.
At the minimum, you need to notify your patients that there was a potential breach of PHI along with an explanation of why you believe it is only a potential breach. Comprehensive instructions can be found in Chapter 1.6 the Complete & Easy HIPAA Compliance publication which is available in the online store. It also includes a downloadable HIPAA Breach Risk Assessment document.
NOTE: Your state may also have breach notification rules so you would need to check with your state to see if their standards are more stringent than HIPAA regulations.
TIPS: Take some proactive steps now to minimize potential problems in the future.
1. Invest in some locking file cabinets and/or video surveillance cameras. Compared to the costs of breach fines, it is worth the investment.
2. Do a Security Risk Assessment today - if you haven't already done one this year. They are required to be conducted annually. It will help you identify potential areas of concern which need to be addressed. CompliantChiro.com offers an online risk assessment. For a manual version, see the Complete & Easy HIPAA Compliance publication.