If you suspect that PHI has been used or disclosed for an unauthorized purpose
HIPAA privacy and security violations can result in fines of $110 to $55,100 to covered entities (including healthcare providers and health plans) and their business associates. (45 CFR 160.404). If the violation resulted from “willful neglect”, the Office for Civil Rights (“OCR”) must impose a mandatory fine of $11,002 to $55,100. (45 CFR 160.404). To make matters worse, covered entities and their business associates must self-report breaches of unsecured protected health information (“PHI”) to the affected individual and to HHS (45 CFR 164.400); failure to do so may constitute “willful neglect” resulting in mandatory fines. The good news is that the OCR may not impose a fine so long as the covered entity or business associate did not act with “willful neglect” and corrected the problem within 30 days. (45 CFR 160.410(b)). Show Responding to Possible Breaches. Given the potential consequences, it is critical that covered entities and business associates respond appropriately to potential HIPAA breaches to avoid or minimize their liability. Below are steps that you may follow to help identify and timely respond to HIPAA breaches.
Avoiding Breaches. Of course, it is better to avoid a breach rather than respond to one. To that end, covered entities and business associates should ensure that they practice preventive medicine by, among other things, implementing required policies and administrative, technical and physical safeguards to protect PHI, and periodically monitor compliance. Train and regularly retrain or remind workforce members concerning HIPAA obligations. Use past breaches to improve systems and future performance. Consider purchasing appropriate privacy insurance to cover the costs if breaches do occur, and include indemnification or other provisions in business associate agreements to protect yourself and/or shift the costs of potential breaches. For questions regarding this update, please contact: This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel. Which of these describes when PHI is disclosed to an unauthorized person?A PHI breach is unauthorized access, use or disclosure of individually identifiable health information that is held or transmitted by a healthcare organization or its business associates.
What steps should be taken if there is a breach of PHI?In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.
When PHI is used disclosed or requested it must be?In general, a covered entity may only use or disclose PHI if either: (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information gives authorization in writing. We note that this blog only discusses HIPAA; other federal or state privacy laws may apply.
Who should you report the discovery of an unsecured PHI to?A covered entity must notify the Secretary if it discovers a breach of unsecured protected health information. See 45 C.F.R. § 164.408. All notifications must be submitted to the Secretary using the Web portal below.
|