Q: If paperwork or other confidential information may have been stolen during a break-in at a covered entity's facility, must the covered entity notify its clients? If so, what is the correct process?
HIPAA Weekly Advisor, February 18, 2008
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
A: A covered entity that suspects PHI or other confidential information about an individual has been stolen is responsible for notifying the individual of the possible theft.
The challenge is determining whether any information was actually stolen and, if so, which specific information was taken. Your security incident response process should include how you will determine whom the incident may have affected and how you will notify these individuals.
Many states have identity theft protection laws that require businesses that store certain types of confidential information to notify individuals affected by a security breach if the compromised information was unencrypted. However, many state laws don't specifically address medical identity theft, which includes the theft of identifiable health information rather than a Social Security number, for example. Also, most state identity theft protection laws only address breaches related to electronic data.
Therefore, depending on what type of information is stolen and in which state the breach occurred, the organization may have a legal responsibility to notify the individual. However, even if notification is not necessarily required by law, sound business practice dictates that notification is the appropriate response, particularly when the information is unencrypted or when the stolen documents contain PHI.
Also, even if the law doesn't require notification, opting to do so may reduce liability and help preserve a business's reputation. Most patients would rather learn about the breach from the covered entity rather than reading about it on the front page of the local newspaper.
Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Comments
0 comments on “Q: If paperwork or other confidential information may have been stolen during a break-in at a covered entity's facility, must the covered entity notify its clients? If so, what is the correct process? ”
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched