• E-mail
• Print
• RSS

Breach notification

HIPAA Weekly Advisor, December 15, 2008

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q. It’s my understanding that HIPAA doesn’t require breach notification except through an accounting of disclosures. When the information breached is encrypted, must we include it in the list of disclosures when a patient requests an accounting of disclosures?

A. HIPAA may not specifically require patient notification in the event of inappropriate disclosure except through the accounting of disclosures. But although HIPAA does not always require notification at the time of a breach, state law might. Currently, more than 40 states require breach notification under certain conditions.

For example, California recently enacted medical identity theft protection legislation that broadens when and to whom notification must occur. Currently, most state laws don’t require notification when the information breached was not electronic or when electronic information was encrypted.

However, the HIPAA privacy rule does not allow this exception. If the data is encrypted and a breach occurs, it still needs to be included in the accounting of disclosures. It is appropriate to notify affected patients when a breach includes unencrypted PHI, including paper breaches. Not doing so can lead to significantly higher legal risk, damage to the facility’s reputation if someone discovers the breach and reports it to the press, and loss of business due to subsequent lack of trust.

The HIPAA security rule does require the formation of a security incident response team, and the team is responsible for mitigation of damages. The security rule does not explicitly state that mitigation includes patient notification, but it is an important part of mitigating damages and can help patients avoid identity or medical identity theft.

Therefore, although it may be highly appropriate to do so, notifying patients about a breach goes beyond state and federal law requirements and thus remains up to a covered entity’s judgment.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• Comment
• E-mail to a Colleague
• Print
• RSS
• Archive

Comments