60 likes | 84 Views
A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.<br>
E N D
PHI Breach Dealing Breach With HIPAA Guidelines
BREACH A Breach is, generally, an impermissible use or disclosure of protected health information compromises the security or privacy of the protected health information. HIPAA defines breach as as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual. Risk assessment is done for any breach under following considerations: 1. Nature and extent of PHI involved. 2. Authority of the person to whom disclosure is made. 3. Whether the PHI is acquired or viewed. 4. Extent to which the risk to the protected health information has been mitigated. Both covered entities and business associates have discretion to provide the required breach notification. 2
Exceptions There Are Three Exceptions: 1. Unintentional acquisition, access or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate-Within scope of authority. 2. Inadvertent disclosure of the protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access PHI, where the information will not be further disclosed or used. 3. If the covered entity or business associate has a good fait or belief that the unauthorized person to whom the disclosure is made has not retained the information.
Notification Of Breach 1. Responsible are covered entities and business associates. 2. Covered entities will notify to individual or next of kin affected by breach. 3. For business associate, they have to inform it to covered entities. 4. Breach affecting more than 500 individual should be informed to Office OF Civic Rights. 5. Breach affecting less than 500 individual, not required to be informed to Office OF Civic Rights 6. If the Covered Entities Business Associate has a breach, they must report it within 60 days.
Examples Of Possible Breach 1. Faxing patient information to the wrong fax number. 2. Losing a laptop, flash drive, or CD containing patient information. 3. Having improper website security that exposes an internal part of the website containing PHI to the public. 4. Using a computer infected with a virus or malware. 5. Improperly disposing electronic equipment containing PHI. 5
Countermeasures Against HIPAA Violation 1. Verbal warning 2. Notice of disciplinary action placed in personal files 3. Removal of access privileges 4. Termination 5. Contract penalties 6. Report to low enforcement for suspected criminal activity 7. Civil action 6