Your organization must notify people if a breach (or potential breach) of privacy or security of protected health information occurs. A breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.”
Following a breach, covered entities must notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media.
In addition, if a business associate experiences an unallowable release of protected health information, it is required to notify the health care provider organization that transmitted the information about the disclosure. The provider, in turn, must make the required notification to the Government and media, as appropriate.
There are three exceptions to the definition of breach. Disclosure under these circumstances is not considered a breach:
- By a workforce member acting under the authority of a covered entity or business associate.
- From a person authorized to access protected health information to another person authorized to access protected health information. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
- When there is a reasonable expectation that the recipient would not have been able to retain the information.
Read more about breach notification.
Source: U.S. Department of Health & Human Services, “Unauthorized Disclosures of Information.” http://www.hrsa.gov website. Accessed December 2, 2015. http://www.hrsa.gov/healthit/toolbox/healthitimplementation/implementationtopics/ensureprivacysecurity/ensureprivacysecurity_3.html
© Copyright 2016. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.