How Can a Breach Be Good Medicine?

Are you among the lucky healthcare providers who have never experienced a breach of Protected Health Information (PHI)?

Having gone without a breach could provide a great sense of confidence that you are running your organization in a secure and well-organized way. However, are you absolutely sure about that? Statistics show that you are probably kidding yourself if you think you haven't had a breach of some kind.

Several types of breaches can occur, as seen in these examples from the breach log from OCR (Office of Civil Rights). Throughout the daily workflow of patient care, a breach can occur with remarkable frequency.

10 Common Breaches

1. Giving a patient a visit summary belonging to another patient.
2. Sending an email or fax to the wrong recipient.
3. Mailing an entire medical record, or part of, to the wrong patient.
4. Having computer monitors positioned in a way that patients or visitors could read PHI to your facility.
5. Having a device stolen that was used for accessing or storing PHI.
6. Disposing of PHI in the trash instead of a shred box.
7. Sending a text message or email containing PHI without reasonable safeguards in place.
8. Employees disclosing PHI to friends or family.
9. Being less than circumspect when discussing patient information in the presence of others.
10. Having a computer monitor not set to properly time-out when not in use.

Breaches come in all sizes, not all breaches are massive, multi-patient ones with high-stakes; as seen above, they can be simple every-day, routine situations. But, even simple and small breaches are still considered a breach! Regardless if you may think they don't happen to your organization, they probably do, despite your best efforts. Even with all the training, awareness, concern, and dedication in the world, it does not make people perfect, and mistakes happen. People make mistakes, and those mistakes can be costly!

So, How is a Breach "Good Medicine"?

Charles Parkhurst famously stated once, "It is not often that joy reaches so deep a place in men's hearts as sorrow does. Defeat touches men in a way that victory does not."

A breach can be a dose of good medicine when used as a learning opportunity. "I'll never do that again!" is a perfect phrase that shows how when a person makes an error, recognizes the mistake, and then corrects it, it leads to the probability of a recurrence being greatly diminished.

What about the OCR?

Do you think the OCR believes that a breach has never occurred in a practice? Probably not. Subsequently, how would a practice be viewed that has the occasional breach, recognizes it, reports it, and then takes corrective action? They would be viewed as in the least, honest, responsible, and attentive. In some ways, breach discovery, reporting, and mitigation can be good medicine by inoculating your practice against skepticism in the event of an audit.

Breaches are something that can occur from time to time, and there should always be precautions in place for their prevention. If one does occur, give it the respect it deserves. Recognize it, report it, take corrective actions and of course, learn from it!

Finally, just because a "Breach" can be good medicine, it's still painfully obvious that one should never occur on purpose. Or did we even need to mention that!? Be careful. Do everything you can to avoid a "breach," but if one does occur, give it the respect it deserves and take it as "Good Medicine."

March 1, 2021 Deadline for Reporting

Did you have a breach last year affecting 500 or fewer individuals? If your organization experienced a breach of unsecured protected health information that affected fewer than 500 individuals, the Secretary of the U.S Department of Human Health and Services must be notified of the breach within 60 days of the end of the calendar year in which the breach was discovered. The deadline for reporting HIPAA breaches affecting fewer than 500 individuals is March 1, 2021. For additional information, please click here.