determine whether the incident constitutes a breach requiring notification, and if so,.investigate incidents where PHI has been compromised,.You must plan ahead and implement a policy that allows you to Why you need a policyīreach notification is not something you can do spur of the moment. The settlements listed above indicate how strictly the OCR enforces the rule and holds violators accountable. Notification must be provided “without unreasonable delay” and no later than 60 days of discovering the breach. The Notification Rule requires providers to notify affected parties of breaches that compromise protected health information (PHI). Here is an overview of the Notification Rule and how to comply with it: What the notification rule requires Touchstone Medical Imaging in Tennessee paid $3.00 million in 2019.Sentara Hospitals in Virginia paid $2.175 million in 2019.Presence Health in Chicago paid $475,000 in 2017.The Notification Rule requirements are enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and the price tag for violating these rules is quite high: More than one provider has learned this lesson the hard way. Providing timely notification under the HIPAA Breach Notification Rule is a crucial part of breach response. While prevention should be your priority, you must also be prepared to respond and minimize the damage when a data breach occurs. If none of the exceptions apply, conduct the four-factor breach assessment to determine the risk level.Clinical labs and other health care providers have become a favorite target for hacking and cyberattacks. If one does, document the incident and the exception you applied and keep it on record. First, gather all the facts and see whether or not an exception applies. Next time a potential breach comes to light, don’t jump to conclusions. Therefore, the HIPAA privacy rule allows these three exceptions to a breach. If every impermissible disclosure was treated as a breach, healthcare would become gridlocked. Human errors are common, and not all disclosure errors threaten the privacy of PHI. In this case, the pharmacy can make an on-the-spot assessment as to whether the patient was able to retain any of the other patient’s information, such as their name or date of birth. For example, a pharmacy may hand out the wrong prescription, and the patient returns the prescription before leaving the building. The key to this exception is whether or not the unauthorized person is able to retain the information. However, the EOBs that weren’t returned should be treated as potential breaches. Most likely, the addressees didn’t see or retain the information inside these envelopes, so the exception applies. The third exception is when an organization disclosing PHI believes in good faith that the unauthorized person receiving the information wouldn’t have been able to retain it.įor example, a clinic mails explanation of benefits (EOB) letters to the wrong people, and the post office returns some of the letters unopened. The exception applies here because the disclosure was inadvertent, both the nurse and the doctor are authorized to access PHI, they both work at the same hospital, and the doctor didn’t further share the information. The second exception to a breach is when a person authorized to access PHI accidentally shares PHI with another authorized person at the same organization, and PHI is not further disclosed in a manner not permitted by the rule.įor example, a nurse emails the wrong lab results to a doctor, and the doctor tells him that it’s the wrong file and deletes the email. Inadvertent Disclosure to an Authorized Person The only time when it’s okay to further disclose the information is if it’s used for the patient’s treatment. However, if the technician opened the chart to snoop, she is acting deliberately and not in good faith, making the viewing of PHI a breach.Īdditionally, if the technician shares the PHI she accidentally saw in an unallowable way, such as gossiping, then this is a breach. Her viewing of PHI was both unintentional and during the course of her duties therefore, the exception applies. The first exception to a breach is when an employee unintentionally acquires, accesses, or uses protected health information (PHI) in good faith within the scope of their authority, and they do not further disclose the PHI in a manner not permitted by the rule.įor example, a technician might accidentally open the wrong patient chart while carrying out her authorized duties. Unintentional Acquisition, Access, or Use
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |