Dear Beth: 
Last month, someone invaded our Pregnancy Medical Clinic in the middle of the night. Every locked drawer was broken into —including our client files.  We verified that no files were missing. In fact, none of the files appeared to have been tampered with. How should we have handled that situation?

ANSWER:
I am sorry to hear that someone broke into your Pregnancy Medical Center.  According to Lorraine Mazurek, our national HIPAA consultant, here is the proper process that should be followed after PHI has been compromised:

1) Notify all patients that may have been affected.

2) Document who you notified and those you were unable to notify.

3) Report the breach to the Secretary of Health and Human Services, include the police report.

4) All documentation should be submitted to the Board of Directors and duly noted in the Board Meeting Minutes.

NOTE: Make sure you are completing our annual Risk Assessment 2013 tool with documentation of risks and how they were mitigated.