HIPAA Q&A: Disclosure of breaches
HIPAA Weekly Advisor, April 12, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q. Do HITECH notification requirements apply if a workforce member not authorized to use or disclose PHI breaches secured PHI?
A. No notification requirement exists with respect to secured PHI. The Office of the National Coordinator for Health Information Technology published a draft definition of “secure” but not a final definition. This means covered entities and business associates must refer to the National Institute of Standards and Technology (NIST) definition if the interim final rule is effective before HHS publishes a final definition.
At this time, ePHI is considered secure if it is encrypted at an appropriate level; paper PHI is secure if it is properly shredded.
Disciplinary action would be in order, however, to comply with the sanction requirements of the HIPAA privacy and security rules.
Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Apgar is president of Apgar & Associates, LLC, in Portland, OR. He has more than 17 years of experience in IT and specializes in security compliance, assessments, training, and strategic planning.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched