Health Information Management

HIPAA Q&A: PHI sent to wrong address

HIM-HIPAA Insider, October 19, 2012

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. What is the appropriate action when a statement is sent to the wrong address and an unintended recipient opens the envelope, either because of incorrect patient information or a keystroke error?

A. This is a breach of nonsecure PHI that necessitates a mini risk analysis. If it is determined that the breach will cause significant harm to the ­patient, you must provide written notification of the breach, maintain a breach log, include the incident in the patient’s disclosure accounting log, and notify OCR within 60 days from the end of the calendar year (45 CFR 164.402, 404, and 408).

Even if it is determined that the breach will not cause significant harm to the patient, the breach represents a security incident and must be documented. The HIPAA Security Rule applies only to ePHI, but the “mini Security Rule” language in the HIPAA Privacy Rule requires covered entities to implement administrative, physical, and technical safeguards for all PHI regardless of form (45 CFR 164.530(c)).

This means, as with the HIPAA Security Rule, that you must investigate security incidents and document investigations and mitigating actions taken, if any.

Editor’s note: This Q&A appears in the November 2012 edition of the HCPro, Inc. newsletter Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular