Category: Compliance

Date: April 2011

Reviewed/Revised: April 2013

Purpose

To comply with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).

Definition of Breach

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational or other harm to the affected individual. There are three exceptions to the definition of breach.

  1. The unintentional acquisition, access or use of PHI by an employee acting under the authority of a covered entity or business associate. The information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  2. The inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity to another person authorized to access PHI at the covered entity. The information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  3. If the covered entity has a good faith belief that the unauthorized individual to whom the impermissible disclosure was made would not have been able to retain the information.

Unsecured Protected Health Information

PHI is unsecured when it has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of appropriate technology or methodology.

Breach Notification Requirements

Following a breach of unsecured PHI covered entities must provide notification of the breach to affected individuals, the Secretary of the Department of Health and Human Services, and, in certain circumstances, to the media.

Procedure

Breaches must be reported to the EVMS Medical Group Privacy Office within five days of the incident. The Privacy Officer will conduct a review of the incident and make the appropriate notifications required by law.