South Florida Hospital News
Friday December 14, 2018

test 2

July 2012 - Volume 9 - Issue 1




HITECH Act Reporting Depends on Clear Communications

Increasingly, healthcare providers and their business associates are using portable electronic devices to access patient’s electronic medical records. Although most physician offices, hospitals and other healthcare organizations make every effort to safeguard patient’s privacy and the security of their records, smartphones, tablets and laptops – and the protected health information (“PHI”) stored or accessible on them – may be lost or stolen, resulting in a potential breach. A breach occurs when an unauthorized use or disclosure of unencrypted PHI poses a significant risk of financial, reputational or other harm to the patient.
Once they are aware that a possible unauthorized use or disclosure of unencrypted PHI has occurred, covered entities and business associates must conduct a risk assessment to determine if there has been a breach. If the risk assessment indicates there has been a breach, the covered entity or business associate is obligated to notify, in writing, the patients whose PHI has been impermissibly used or disclosed and, in instances where more than 500 patients are involved, also notify the media.
While the HITECH Act regulations set out the substance of the information that must be provided to the patients and the media, the way in which the information is communicated can make a significant difference in patients’ and the public’s perceptions of the covered entity or business associate. In addition to consulting with counsel to ensure compliance with the HITECH Act’s reporting requirements, the covered entity or business associate should consider adopting a number of important communications guidelines, depending on the scale of the breach and the likelihood of media involvement.
• Gather all decision-makers with counsel and, if possible, a communications professional to discuss the proper written and oral messaging. As in any crisis, the messages should be clear, honest and compassionate. The most senior executive needs to explain what happened, express sincere regret and outline steps for preventing a reoccurrence.
• Create a list of anticipated questions and answers and rehearse all possible answers in advance. Anticipate and be prepared for the worst case scenario.
• Appoint a single credible spokesperson, someone who is comfortable, and ideally has experience, speaking with the media. Rehearse.
• Develop talking points for staff and instructions on how to handle inquiries from both the media and patients.
• Meet with staff prior to informing patients and the media, so they hear the facts directly from the supervisors.
• Time the news release and patient communications to prevent staff or patients from hearing about the breach from the media.
• NEVER avoid media calls. Do not feel pressured to answer their questions on the spot. Instead, take the time to prepare, and then provide reporters with open, honest and clear answers.
• If working with a third party to investigate, for example, the local police department, Postal Inspector, etc., solicit the third party to provide comments.
• Return all calls within a few hours to help stem the rumor mill and keep patients calm.
These guidelines for proper breach notification can enable providers to meet their legal obligations while reassuring patients and the public that the provider is acting responsibly to protect the patients’ interests.
Vanessa A. Reynolds is Of Counsel in the Fort Lauderdale office of Broad and Cassel. She can be reached at (954) 764-7060 or
Share |