Medical Justice provides free consultations to doctors facing medico-legal obstacles. We have solutions for doctor-patient conflicts, unwarranted demands for refunds, online defamation (patient review mischief), meritless litigation, and a gazillion other issues. We also provide counsel specific to COVID-19. If you are navigating a medico-legal obstacle, visit our booking page to schedule a free consultation – or use the tool shared below.

The ugly (but expected) truth: Penalties specific to breaches of medical records are steep. How steep?  A healthcare entity liable for a breach could see a fine as large as $1.5 million – or more. And the penalties go beyond cash payouts. If 500+ patients are affected by the breach, the entity responsible is required by law to inform the media, devastating the practice’s reputation. Keep in mind patients affected by the breach must also be notified. Practices at the center of a breach are burdened with a “reputation deficit” that will likely take many a long time to neutralize. 

The importance of keeping sensitive information under an impregnable lock and key cannot be overstated. So, what should doctors do when a breach does occur? 

The practice affected must determine the likelihood Protected Health Information (PHI) has been compromised. If the risk is low, the breach does not need to be disclosed. If the risk is high, the breach must be disclosed, and the entity responsible will be subjected to the potential fines. What are those penalties? And how should doctors measure the severity of a breach? This piece will answer both of those questions, and many others like them. 

But before jumping in, some fast advice: If you are a doctor navigating a breach of medical records, request a free consultation with our Founder and CEO, Jeff Segal, MD, JD. We are equipped to a) facilitate a smooth, compliant recovery and b) help you prevent future breaches. 

If you haven’t experienced a breach and are determined to keep your nose clean, we can verify your existing protocols are bullet resistant. A free consultation will keep you on the right path. 

With that said, in the event of a breach, what is the first action a doctor should take? 

Close the breach – immediately.  

The practical hand prevails here. Government compliance will come later – for now, you must contain the breach. If the breach can be traced to a leaker (an employee/third-party vendor), run the extra mile to limit their access to destructive or privileged information. Restricting their access is only the beginning. Fire them. And repossess any electronic devices that could harbor sensitive information. Once you’ve confirmed they can do no more harm, remove their access to your system and immediately terminate your relationship with them.  

This may include a vendor, an accountant, or a cloud based EHR provider. Most Business Associates Agreements (BAAs) will place responsibility for confidentiality squarely on their shoulders, not yours. With that said, just because you are not responsible for policing those records does not mean you should drag your feet. The quicker you act, the more likely you’ll mitigate the inevitable damage. If reporting is necessary, that responsibility lies with you – not your Business Associate. 

And in the interest of covering all your bases – in the event a device containing PHI (phone, laptop, tablet, etc.) was stolen, contact the police. Need help devising a plan of action? Request a free consultation with our Founder and CEO, Jeff Segal, MD, JD. We coordinate with Mike Sacopulos, our general counsel, with substantive niche expertise in this arena. Use the link above (or the tool shared below) to schedule a consultation. 

The path to recovery begins with fast action. Treat the breach like an open wound. You must staunch the bleeding. If you do not act and the situation worsens, you will likely be held liable for damages suffered by your patients. And the doctor who sits and stares, hoping that things will improve, may face charges of willful negligence.  

The clock is ticking. You’ve 30 days to correct the situation as best you can – if you cannot do that, you are at risk for a $5,000 fine per violation.  

Once the breach is contained, determine if you must report it. 

Once the breach is addressed, you must answer the following question: Is this reportable?  

Let’s make one thing clear: Making this determination is a high-level challenge. Enlist experts. This is not a DIY kind of problem. Unless you are certain the breach was extremely limited, hire a lawyer who is a) healthcare specialist and b) comprehends the Federal laws specific to breaches of medical records. This entity will walk with you to determine the severity of the breach and address the likelihood private health information (PHI) was compromised.

This process starts by dissecting the breach event itself. To supply an example, pretend a laptop was stolen. If all patient data on the laptop was properly encrypted, it is unlikely a breach has occurred.  

Addressing the opposite end of the spectrum, let’s pretend a former employee of the practice leaked patient data in response to what he perceived to be an unjust termination. In this case, a breach is certain. Here are four questions you and your attorney must consider when measuring the severity of a breach… 

A) What PHI was breached?

You must determine the sensitivity of the material breached. Data specific to appointment times is less severe than information specific to a patient’s existing health conditions. Breachs specific to financial identifiers (social security numbers and credit card information) are especially severe. 

B) To whom was the PHI exposed?

If the PHI was exposed to a fellow physician, the breach is considered less severe. Conversely, an employee discoursing about a patient’s health on social media is a severe breach.  

C) Was the PHI actually viewed? 

This is specific to snail-mail situations – such as receiving a misaddressed envelope and returning it to its rightful place unmolested. A deciding factor: If the PHI is never seen, the breach does not matter. 

D) Has the risk been mitigated?

This is a two-parter. This step concerns the breach itself and your efforts to correct the problem after the breach is qualified. Recall the stolen laptop: If the files were encrypted, the encryption itself mitigates the risk of a breach. But if a malicious employee stole passwords? Shut the corresponding system down to neutralize his access.  

And keep records specific to these circumstances. You’ll want these handy in the event a regulatory agency (such as the Office of Civil Right for Dept. Health and Human Services) demands access to them. If you determine PHI has been compromised, your duty is to notify your patients and the public.  

In the event a substantial amount of PHI has been compromised, you must prepare to notify the HHS and your affected patients – and possibly the media.  

It is at this point you must also investigate your state laws. To be clear, HIPAA is the floor. It represents the bare minimum you must do in respect to patient privacy. It is possible your state has even stricter requirements – so you must investigate. Your next obligation is to determine how many patients were affected by the breach. If the number of affected patients is greater than 500, you must inform the HHS, the media, and the affected patients. Not a good day.  

When notifying patients, keep the explanation short and focused. It is important the layman patient understands there has been a breach. Make it clear the breach is contained and that entity/deficiency responsible for the breach has been neutralized. 

To ensure all your bases are covered, enlist the help of an attorney – you want to make sure the notice is HIPAA compliant before publicizing it. This is another time-sensitive obligation. You have 60 days to notify the public, but the sooner you act, the better. If the breach leaked credit card numbers or social security numbers, you’ll want evidence you acted as quickly as possible.  

Need help devising a plan of action? Request a free consultation with our Founder and CEO, Jeff Segal, MD, JD. Use the link above (or the tool shared below) to schedule a consultation.

In such cases, we advise making a phone call and following up with an email. Complete the act by sending a notice via certified mail. This may seem excessive until you consider how quickly an identity thief can injure a victim’s finances/credibility. 

If you notify affected patients via email, make sure that email is delivered via a HIPAA-compliant carrier or an encrypted patient portal. It is not uncommon for notifications specific to breaches of privacy to become privacy breaches themselves.  

Placing a notice on your website is also advisable – just make sure specific patients are not named. Patients should be encouraged to contact the practice for answers to questions. 

On that note, you must prepare your staff to address patient inquiries related to the breach. And set the correct expectations – it is likely those who contact the practice will be angry and anxious. Document a process and train your staff accordingly. Expect patients to ask hard questions – questions you are likely not equipped to answer without preparation and legal counsel. If your staff receives a question they cannot immediately answer, train them to record the question and promise to follow-up with an answer. Be prepared to discuss such questions with your attorney in advance of supplying an answer.  

Lastly – keep these calls logged. It is likely the OCR will request access to them.  

You must now look to the future. Consider the breach a warning – identify and correct the deficiencies that enabled the breach ASAP. 

The OCR may not arrive to audit you for up to a year. But when it does arrive, investigators will expect evidence you’ve taken steps to prevent future breaches.  Firing the employee responsible and encrypting sensitive data is a start, but you must do more. Written guidelines are gold. Be prepared to demonstrate that employees have access to these guidelines and have been trained to implement/understand them. You should reinforce this training by hiring/appointing a compliance manager. Their job? Stop/anticipate future breaches. Include protocols specific to future breaches. It should be clear who is to be contacted in the event of a problem.  

Lastly – research / implement a relevant insurance policy. 

Do you know if your malpractice policy includes coverage specific to cyber-liability? If you don’t know, ask – and do it today. The worst time to find out you aren’t covered for such events is after a breach occurs. And sweat the details. Not all such policies are equal. What is covered varies. A lot. Many malpractice policies do provide a modest amount of cyber-liability coverage – often to the tune of $25,000 – $50,000.  

The problem: In the event of a breach, the cost of simply notifying affected patients will likely drain that amount – leaving you with little to address actual damages/defense costs.  

When considering a cyber-liability policy, request coverage for legal fees and regulatory fines. You’ll also want the costs of investigating and qualifying a breach covered in your policy. Lastly, the costs of notifying patients should be covered. Other considerations include covering the cost of credit monitoring (for patients affected by the breach) and coverage for advertisements focused on rebuilding a reputation damaged by a breach of medical records. 

In closing, let’s review our key points… 

Once you are certain a breach has occurred, you must act quickly. Consult an expert to determine if the breach is reportable to the HHS. Bear in mind a large breach must also be reported to the media. And even if the breach is not large enough to warrant notifying the media, affected patients should always be notified. Just make sure you don’t violate HIPAA in doing so. Train your staff to identify/report/correct future breaches before they happen – and strongly consider outfitting your practice with cyber-liability insurance. 

Medical Justice is equipped to help doctors nail these high-level challenges. Our general counsel, Mike Sacopulos, JD, is an expert in this field. If you are embroiled in a breach of medical records, request a free consultation to learn how we can a) facilitate a smooth, compliant recovery and b) help you prevent future breaches. 

If you haven’t yet experienced a breach and are determined to keep your nose clean, we can verify whether your existing protocols are bullet-proof. A free consultation will keep you on the right path. Use the link above (or the tool shared below) to schedule a consultation.

Doctors must remain vigilant to reduce the risk sensitive information will be exposed. Let us know your thoughts in the comments below.

Learn how Medical Justice can protect you from medico-legal mayhem… 

Jeffrey Segal, MD, JD

Chief Executive Officer and Founder

Dr. Jeffrey Segal, Chief Executive Officer and Founder of Medical Justice, is a board-certified neurosurgeon. Dr. Segal is a Fellow of the American College of Surgeons; the American College of Legal Medicine; and the American Association of Neurological Surgeons. He is also a member of the North American Spine Society. In the process of conceiving, funding, developing, and growing Medical Justice, Dr. Segal has established himself as one of the country’s leading authorities on medical malpractice issues, counterclaims, and internet-based assaults on reputation.

Dr. Segal was a practicing neurosurgeon for approximately ten years, during which time he also played an active role as a participant on various state-sanctioned medical review panels designed to decrease the incidence of meritless medical malpractice cases.

Dr. Segal holds a M.D. from Baylor College of Medicine, where he also completed a neurosurgical residency. Dr. Segal served as a Spinal Surgery Fellow at The University of South Florida Medical School. He is a member of Phi Beta Kappa as well as the AOA Medical Honor Society. Dr. Segal received his B.A. from the University of Texas and graduated with a J.D. from Concord Law School with highest honors.

In 2000, he co-founded and served as CEO of DarPharma, Inc, a biotechnology company in Chapel Hill, NC, focused on the discovery and development of first-of-class pharmaceuticals for neuropsychiatric disorders.

Dr. Segal is also a partner at Byrd Adatto, a national business and health care law firm. With over 50 combined years of experience in serving doctors, dentists, and other providers, Byrd Adatto has a national pedigree to address most legal issues that arise in the business and practice of medicine.