Call: (407) 331-6620 or (850) 439-1001
Toll-free: (888) 331-6620
Menu
Call: (407) 331-6620 or (850) 439-1001
Toll-free: (888) 331-6620
(June 5, 2013) – All health care providers know that the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to report the breach of unsecured protected health information. Most health care providers do not know exactly how to report the breach of unsecured protected health information. The actual breach notification requirements vary slightly based upon the number of patient records involved in the breach and whether the covered entity has current contact information for those patients.
Unsecured protected health information is any health information that is not encrypted. Paper records are always unsecured, but electronic records may be unsecured or encrypted. A breach is an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. There is always a breach of unsecured protected health information when paper records or unencrypted electronic records are lost.
Every covered entity must notify each affected individual (patient) following the discovery of a breach of unsecured protected health regardless of the number of patients involved. The notifications to the affected individuals must be provided without unreasonable delay and in no case later than 60 days following the discovery of the breach. The notice to the patients must include a description of the breach, a description of the types of information that were included in the breach, the steps the patients should take to protect themselves from potential harm, a description of what the covered entity is doing to investigate the breach, mitigate the harm to the patients, and to prevent further breaches, as well as contact information for the covered entity. Most covered entities are also purchasing identity theft protection services for the patients affected by a breach.
The individual notice to patients must be provided in writing by first-class mail, or alternately by e-mail if the patient has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more affected individuals, the covered entity must also provide substitute individual notice by either posting the notice on the home page of its web site, or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. Any substitute notice provided via web posting or major print or broadcast media must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.
Every breach of protected health information must also be reported to the Secretary of the Department of Health and Human Services (HHS). The timing of the report to the Secretary of HHS varies depending on the number of patients affected by the breach. If a breach affects 500 or more individuals, the covered entity must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, the breach affects fewer than 500 individuals, the covered entity may notify the Secretary of the breach on an annual basis. The covered entity must report a breach affecting fewer than 500 individuals no later than 60 days after the end of the calendar year in which the breach occurred.
A covered entity may also be required to notify the media when a breach of unsecured information occurs. Every breach affecting 500 or more individuals must be reported to the media by the covered entity.
Reporting the breach of unsecured protected health information is an expensive and time consuming process. Preventing a breach of unsecured protected health information is always the best solution. Covered entities need to encrypt their electronic records and carefully safeguard their paper records.
Michael L. Smith, R.R.T., J.D., is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.
This article was originally published in Advance for Respiratory Care and Sleep Medicine.
Main Office • 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL, 32714
By Appointment • 37 N. Orange Ave., Suite 500, Orlando, FL 32801
By Appointment • 201 E. Government St., Pensacola, FL 32502 Telephone: (407) 331-6620(850) 439-1001 Telefax: (407) 331-3030
Medicare/Medicaid Audits, Health Care Law, Contracts, Hospital Privileges Hearings, Investigations, DEA Defense, Board of Medicine Defense, Fraud Defense, Administrative Hearings, PRN, IPN, Professional Licensing, Medicare/Medicaid Fraud Defense, Nursing Law, Compliance Plans, Hospital Law, Board of Dentistry, Board of Nursing, Board of Pharmacy, Board of Psychology, White Collar Crime, Pain Management and Pain Medicine Physician Defense, Pain Management Clinic Defense, Zone Program Integrity Contractor (ZPIC) Audit Defense, Recovery Audit Contractor (RAC) Audit Defense, Medicaid Fraud Control Unit (MFCU) Defense, Search Warrant and Subpoena Defense, Board of Psychology Defense, NBME Representation, U.S.M.L.E. Challenges, ABIM Representation, Medical Exam Cheating Defense…and more
Available in the following Florida cities and counties: Daytona Beach, Fort Lauderdale, Gainesville, Jacksonville, Key West, Melbourne, Miami, Ocala, Orlando, Pensacola, Panama City, Sarasota, St. Petersburg, Tallahassee, Tampa, West Palm Beach, Alachua, Baker, Bay, Bradford, Brevard, Broward, Calhoun, Charlotte, Citrus, Clay, Collier, Columbia, Dade, De Soto, Dixie, Duval, Escambia, Flagler, Franklin, Gadsden, Gilchrist, Glades, Gulf, Hamilton, Hardee, Hendry, Hernando, Highlands, Hillsborough, Holmes, Indian River, Jackson, Jefferson, Lafayette, Lake, Lee, Leon, Levy, Liberty, Madison, Manatee, Marion, Martin, Monroe, Nassau, Okaloosa, Okeechobee, Orange, Osceloa, Palm Beach, Pasco, Pinellas, Polk, Putnam, St. Johns, St. Lucie, Santa Rosa, Sarasota, Seminole, Sumter, Suwannee, Taylor, Union, Volusia, Wakulla, Walton, and Washington
By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.
Available in the following states*: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming
Disclaimer | Terms of Representation
The Health Law Firm logo shown above is a registered Service Mark of George F. Indest III, P.A. – The Health Law Firm, since 2007.
“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2024 The Health Law Firm. All rights reserved.