| Issue: |
One of your billing department employees received and opened an e-mail containing protected health information (PHI) that a nurse mistakenly sent her. The employee noticed that she was not the intended recipient, alerted the nurse of the misdirected e-mail, and then deleted it. Does this constitute a breach of privacy that would require your company to comply with HIPAA’s breach notification rules?
|
 |
|
Answer: |
No, the billing department employee's use of the information was done in good faith and within the scope of authority and, therefore, would not constitute a breach. Notification would not be required, provided the employee did not further use or disclose the information in a manner not permitted by HIPAA’s Privacy Rule.
What is a breach? Final regulations, which became effective on September 23, 2009, clarify that the term “breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. Compromising the security or privacy of the PHI means posing a significant risk of financial, reputational or other harm to the individual.
To determine if an impermissible use or disclosure of PHI constitutes a breach, covered entities and business associates will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, consider the following factors:
- the type and amount of PHI involved;
- who impermissibly used or to whom the information was impermissibly disclosed;
- whether the covered entity took immediate steps to mitigate an impermissible use or disclosure; and
- whether the PHI was returned prior to it being accessed for an improper purpose.
Breach exclusions. A breach does not occur in the following situations:
- any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule;
- any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate (or organized health care arrangement in which the covered entity participates), and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; and
- a disclosure of PHI where a covered entity or business associate has a good faith belief that an authorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Source: HHS Reg. §164.402, as added by 74 FR 42740, August 24, 2009.
|
