Health Information Management

HIPAA Q&A: Breach notification

HIM-HIPAA Insider, December 14, 2009

Q. Our home health and hospice agency has mailed or faxed patients’ orders to the wrong physician (with the same last name) due to an incorrect selection in the computer. We currently write up an incident report and track/account for inadvertent disclosures. The receiving office destroys the information as it does its own PHI.

Are we required to maintain an annual log of breaches and submit the log to HHS? This information is not addressed in the guidance. Are only breaches involving more than 500 people required to be reported to HHS? If we are to submit an annual log, must we report the above example, since another healthcare provider destroyed the PHI? Must we notify the patient of the breach in the above example?

A. In determining procedures for handling breaches, look at the security breach notification's interim final rule on the definition of a breach. The interim final rule states, “if there is no significant risk of harm to the individual, then no breach has occurred, and no notification is required.”

The inadvertent disclosure described in the question doesn’t appear to be a breach under the interim final rule. In fact, it includes a harm threshold provision that eliminates such breaches from notification. Thus, you wouldn’t be required to log it or notify the patient.

You must immediately report any breaches involving 500 or more individuals to HHS. If a breach involves fewer than 500 individuals, you must maintain and annually submit a log of such breaches to HHS.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Most Popular