Moving the HME Industry Forward

General Healthcare

Investigating and Reporting HIPAA Breach

November 9, 2015

AMARILLO, TX – A DME supplier is a “covered entity” as that term is defined by HIPAA. A DME supplier possesses “protected health information” (“PHI”) pertaining to its customers. If the supplier that PHI has been delivered to a person who is not entitled to it, then the supplier has the duty to investigate whether the “privacy and security of the PHI has been compromised.”

Breach Analysis
The unauthorized access, disclosure, or use of PHI is presumed to be a reportable breach under HIPAA unless the DME supplier determines, through its investigation and analysis, that the privacy and security of the PHI has not been compromised. 45 CFR 164.402 identifies the following factors that must be considered by a DME supplier when the supplier analyzes the unauthorized access, disclosure, or use of PHI:

• “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.”
• “The unauthorized person who used the protected health information or to whom the disclosure was made.”
• “Whether the protected health information was actually acquired or viewed.”
• “The extent to which the risk to the protected health information has been mitigated.”

Reporting Obligation
If the DME supplier determines that the privacy and security of the PHI has been compromised, then for a breach involving the information of less than 500 individuals, the breach must be reported to (i) the individual and (ii) the Office for Civil Rights.

Letter to the Individual
When reporting the breach to the individual, the DME supplier must send a letter to the individual within 60 days after discovery of the breach. 45 CFR 164.404 requires that the letter include the following information (“to the extent possible”):

• “A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.”
• “A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).”
• “Any steps individuals should take to protect themselves from potential harm resulting from the breach.”
• “A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.”
• “Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.”

Reporting to OCR
Instructions for submitting a report to the OCR are available here:

The report should be submitted to the following website: 

Jeff Baird will be presenting the following webinar:
Sponsored by HME Business
The Legal Side of Retail:  Increasing Retail Sales While Avoiding Legal Pitfalls
Presented by:  Jeffrey S. Baird, Esq., Brown & Fortunato, P.C.
Tuesday, November 17, 2015
11 a.m Pacific, 12 p.m. Mountain, 1 p.m. Central, 2 p.m. Eastern
HME providers can no longer survive while solely relying on Medicare fee-for-service. With competitive bidding, stringent documentation requirements, lower reimbursement, post-payment audits, and the fact that Medicare is tightening its purse strings, Medicare fee-for-service should only be a component of the supplier’s total income stream.  

Retail sales offer a bright alternative: There are 78 million Baby Boomers who are retiring at the rate of 10,000 per day, and they are accustomed to paying for things out-of-pocket. These retail sales may take place in a store setting, or they may take place over the internet.  

This program will discuss the various business models through which the provider can conduct retail sales. Equally as important, this program will discuss the legal requirements that must be met in conducting retail sales. These requirements include state licensure, possible collection of sales tax, qualification as a “foreign” corporation in other states, obtaining a physician prescription, and complying with federal and state telemarketing rules.  In addition, the program will discuss how the supplier can sell Medicare-covered items at a discount off the Medicare allowable.

Click Here to register for “The Legal Side of Retail:  Increasing Retail Sales While Avoiding Legal Pitfalls” on Tuesday, November 17, 2015, with Jeffrey S. Baird, of Brown & Fortunato, PC.
Fee:  $89

Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Tex. Allison D. Shelton, JD, is an attorney with the Health Care Group at Brown & Fortunato PC. They represent pharmacies, infusion companies, HME companies, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or Shelton can be reached at (806) 345-0338 or