Lost or Stolen Records
What must the doctor do if patient records are lost or stolen?
Breach of health information security has both regulatory and financial liability consequences. Under federal privacy laws and rules, the loss or theft of records would be considered a breach of HIPAA. The doctor is required to:
- Advise all patients whose records were involved that their information was compromised;
- Advise the Department of Health and Human Services/Office of Civil Rights that the breach happened and the steps taken by the doctor to mitigate (such as credit monitoring) and prevent future occurrences; and
- Review all policies and procedures to make sure they are HIPAA compliant.
Details concerning these requirements may be found on the government’s website at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
In addition, HHS issued guidance in 2006 on remote/home access to HIPAA protected information. The link can be found at: https://www.hhs.gov/hipaa/for-professionals/security/index.html
With regard to potential monetary liability, some insurance policies cover a business owner for data breaches. The physician should notify his or her carrier immediately upon discovering the breach. Often, when the doctor has coverage for this type of occurrence, the insurance company may help fund the patient notification process, as well as pay for the cost of credit monitoring.