• E-mail
• Print
• RSS

When should we voluntarily tell patients about privacy breaches?

HIPAA Weekly Advisor, August 14, 2006

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Many organizations have struggled with this issue, trying to balance protecting the patient from harm against protecting their own reputations within their communities. It's always a good idea to discuss specific situations with legal counsel before deciding whether to report breaches to patients and how much information to disclose.

Generally, you should disclose a breach to the patient if you think there is a reasonable likelihood that the patient will be harmed by the breach. For example, if a collection of patient records is found in a public dumpster and the news media reports the story, it's probably a good idea to notify the patients whose records were found and let them know what happened and how you're handling the incident.

But if there's a very low risk of harm to the patient, you may choose to address the problem without notifying the patient. For example, if a copy of a lab report is faxed to the wrong physician's office, you'll want to investigate how the error occurred, but it's not likely that the patient would be harmed by this mistake.

Editor's note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive