![]() It should provide the following information:Ī brief description of the breach, including datesĪ description of types of unsecured PHI involved The notice must be in plain language that a patient can understand. You are also deemed to discover a breach on the first day that any employee, officer or other agent of your practice (other than the person who committed the breach) knows about the breach. You must notify a patient affected of a breach without unreasonable delay and within 60 days after "discovery." A breach is "discovered" on the first day that you know (or reasonably should have been known) of the breach. Conversely, if you learn that someone has hacked into your practice's electronic records or broken into your paper files, that could pose a significant risk to the privacy of your patients. Because there is no significant risk of harm in this scenario, this would not qualify as a "breach" for which you must give notice. The risk is further reduced if you promptly alert your fellow psychologist to the mistake and she/he assures you that the information has been properly destroyed or deleted. That compromises the security or privacy of PHI by posing a significant risk of financial, reputational, or other harm to the patient.īecause the last prong - significant risk of harm to the patient - is a critical part of the breach definition, one of your first steps after discovering a potential breach should be to assess that risk.įor example, if you are consulting with another psychologist and or your assistant accidentally sends information on the wrong patient, the chance of significant harm is reduced by the fact that the other psychologist has legal and ethical obligations to protect the privacy of the information sent accidentally. Involving PHI that has not been "secured" (by HHS-approved encryption or other technologies that make the PHI unusable to unauthorized users) The acquisition, access, use or disclosure of PHI Taking these steps will minimize your risk of suffering a breach that must be reported. It is important to remember that an ounce of prevention is worth a pound of cure: The most important thing to do in your practice is to follow good security and privacy practices, for example, by complying with the HIPAA Privacy Security Rules and by considering recommendations in the 2007 Record Keeping Guidelines adopted by APA. While the Rule also applies to business associates under HIPAA, for example, a billing service or accountant who handles PHI, this article focuses on the obligations of a psychologist covered by HIPAA. In the latter portion, we include answers to more specific questions that may arise, such as what to do if a breach affects the records of a minor patient. ![]() ![]() This article answers basic questions about when a breach occurs and how you as a psychologist should give notice of a breach. ![]() The primary thrust of the Rule is consistent with how most psychologists respond to a breach - by notifying affected patients. However, the Rule will provide helpful guidance if your practice experiences this misfortune. We are aware of only isolated instances of breaches of PHI affecting practicing psychologists. The American Psychological Association (APA) Practice Directorate plans to submit comments to HHS regarding unique concerns of psychologists and their patients related to this Rule. HHS was required to issue the interim final as a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law in February 2009. In most cases, a health care provider would have 60 days from discovery to notify patients about the breach.Īn unusual aspect of this "interim final" rule is reflected in its name: Although the Rule goes into effect on September 23, HHS is seeking comments on it until October 23 and presumably will revisit the Rule based upon those comments. Department of Health and Human Services (HHS) published an "interim final" rule on August 24, 2009 that sets forth when and how psychologists and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must give notice to patients and HHS if they discover that protected health information (PHI) has been "breached" - for example, stolen or improperly accessed in a way that poses a significant risk of patient harm.Īlthough HHS just published the interim final rule (Rule), it applies to any breaches discovered on or after September 23, 2009.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |