Whether it occurs as the result of a lost work laptop or stolen patient files, a data breach of the Health Insurance Portability and Accountability Act (HIPAA) is a worst-case scenario for healthcare providers (and patients). If you’re a healthcare provider, the minutes, hours, and days following a breach are nearly as important as the steps you take to prevent those breaches in the first place. If you experience a HIPAA breach, here’s what you can do to help protect your patients—and your practice:

Down with Denials! 5 Claim Fixes to Make Sure Your PT Clinic Gets Paid - Regular BannerDown with Denials! 5 Claim Fixes to Make Sure Your PT Clinic Gets Paid - Small Banner


Legally, healthcare providers must investigate any suspected breach. That means your practice must determine the size and scope of the breach to assess whether the probability that PHI has been compromised is low or high. Specifically, Medical Economics recommends performing a risk assessment based on these questions:

  • What is the nature and extent of the PHI involved? What types of identifiers does the data include, and how easily could they be re-identified?
  • Who received or used the PHI?
  • Was the PHI actually acquired or viewed?
  • Has the risk to the PHI been mitigated? If so, to what extent?

Furthermore, you’d need to establish the number of affected patient records, as this number is crucial to the next step in your breach survival guide.


The manner in which you handle post-breach communications can make or break your practice. (Psst—your practice should already have crisis messaging in place for such an occasion.) As much as I’m sure you’d love to keep the breach quiet, well-timed and strategic communications with your patients, employees, business partners, and vendors will help manage patient concerns and minimize the spread of misinformation. Plus, your practice is legally required to notify the affected patients—regardless of the scope of the breach.

However, there are two additional reporting requirements that do depend on the size of the breach:

  1. According to the U.S. Department of Health and Human Services, “A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals.” If the breach affects fewer than 500 patients, your clinic isn’t under much of a time crunch. So long as you report the breach to the Office for Civil Rights (OCR) “within 60 days of the end of the calendar year in which the breach was discovered,” you’ve fulfilled your reporting requirements (though you can report sooner, if you wish).  

    However, if you experience a breach that affects 500 or more patients, your clinic must report the breach electronically “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.” This Government Health IT article explains that if you do need to report the breach to the OCR, you’ll need to document several key pieces of information, including:

    • the number of affected patients;
    • your practice’s efforts to notify those patients;
    • a description of the type of PHI that was compromised;
    • steps individual patients should take to protect their privacy; and
    • a description of your damage-control efforts and how you plan to prevent future breaches.
  2. For breaches that affect 500 or more patients, your practice also must report the breach to the news media. If a breach is particularly large, your practice likely will attract a lot of media attention. Make sure your employees know not to engage members of the press without approval or appropriate messaging. Better yet? The above Government Health IT article strongly recommends retaining a “public relations firm with strong experience in crisis communications and reputation management” to help preserve your practice’s reputation.


Brace yourself—the financial fallout is coming. Ideally, your practice has a reserve of funds for emergencies such as this, but even if that’s the case, you’re probably in for a bumpy ride. Between the costs of investigating the breach, obtaining PR services, and making necessary IT security upgrades—not to mention the potential lawsuits and hefty OCR fines—your practice stands to lose and/or spend a large sum of money in a relatively short amount of time. Moreover, the loss of patient trust could hit your bottom line even harder. Thus, the better (and faster) you handle the two steps outlined under Communicate—and obviously, the better you prevent breaches in the first place—the better off your practice will be financially.

A HIPAA breach is probably your worst nightmare as a healthcare provider. Of course, you want to do everything in your power to ensure your practice never suffers such a breach, but accidents—and hackers—happen. Appropriately investigating, communicating, and budgeting for a HIPAA breach won’t erase the consequences, but it certainly will increase your practice’s chances of survival. Has your clinic suffered—and recovered from—a data breach? Tell us about it in the comments below.

  • 6 Common HIPAA Compliance Issues to Avoid Image

    articleNov 12, 2015 | 3 min. read

    6 Common HIPAA Compliance Issues to Avoid

    I’m going to turn the lights down low, burn a few candles, play some Norah Jones, and slip into something a little less comfortable: Health Insurance Portability and Accountability Act compliance ( yeah, baby ). Okay, so maybe it’s not the sexiest of topics, but familiarizing yourself with the most common HIPAA compliance issues helps keep your practice in the know—and out of the jailhouse. So, let’s strip it down, shall we? First Things First If you …

  • Sink or Swim: How Well Do You Know HIPAA? [Quiz] Image

    articleAug 30, 2016 | 1 min. read

    Sink or Swim: How Well Do You Know HIPAA? [Quiz]

    The threat of a HIPAA violation or breach is almost as scary as the thought of dangling your feet into a murky lake. (I mean, who really knows what lurks in dark water? Yikes!) That’s why we created this HIPAA quiz—to help you figure out how well you can navigate even the sketchiest of situations. And while we can’t promise that you won’t ever run into a lake monster, we can certainly say you’ll come out the …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • Common Questions from Our Patient Sticker Shock Webinar Image

    articleMar 31, 2017 | 33 min. read

    Common Questions from Our Patient Sticker Shock Webinar

    From copays and deductibles to payer contracts and benefits verification, understanding all the nuances of third-party insurances is tough enough for healthcare providers—let alone their patients. In WebPT’s most recent webinar— Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans —co-hosts Heidi Jannenga, PT, DPT, ATC/L, the cofounder and president of WebPT, and WebPT CEO Nancy Ham provided a lot of great advice on how to have productive conversations about healthcare costs with your patients—without …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.