HIPAA Q&A: Substitute notification
HIPAA Weekly Advisor, July 12, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q. If a breach of PHI occurs and the business associate (BA) or covered entity does not have current contact information for 10 or more individuals, substitute notification is required. What does the interim final rule on breach notification require with respect to substitute notification?
A. Pursuant to the substitute notification requirements, covered entities must prominently post a notice including information about the breach on the home page of their Web site for no less than 90 days. The notice must include a toll-free number for patients to check whether their PHI is affected that is active for no less than 90 days. Alternatively, covered entities may provide notification about the breach, including the toll-free number, through major media outlets in the area where individuals affected by the breach likely reside.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched