Q/A: Someone Broke into My Office. What do I do Now?

My office was broken into last night. I use electronic health records, but we do store some protected health information for my patients in paper files. These files are not secured, so the burglars did have access to them. It did not appear that the files were touched as the burglars were looking for cash. What responsibilities to I have to my patients in a situation like this? Do I need to contact them and advise them that their PHI could have been compromised?

An Important Rule that You’re Probably Not Following

The HIPAA Security Rule requires that covered entities (your practice) conduct a Security Risk Assessment (SRA) for your organization, at a minimum of once per year. It is critical that practices perform the Security Risk Assessment for multiple of reasons. Not only is it important to comply with rules and regulations, but also, for what you may consider to be a more motivational reason, to protect your practice (and bank account) from what could become disabling fines and penalties.