Transparency is Key When Dealing with Health Information Breaches
Griffin President Patrick Charmel defends his hospital's practice of securing patient information in its Web site statement:
"Griffin Hospital has stringent policies, procedures, and systems in place to protect patient information and takes very seriously our obligation to safeguard the personal and health information of our patients," Charmel says. "This breach, however, appears to have been a deliberate intrusion into Griffin's PACS to view patient radiology reports. We acted quickly to complete an audit and investigation and to notify affected patients. As a result of this breach, steps are underway to further strengthen the security of patient information."
The HITECH breach notification requirements can be found in the interim final rule published in the Federal Register August 24, 2009.
The rule states that:
- Covered entities (CE) must notify affected patients "without unreasonable delay," but no later than 60 days after the CE discovers or should have discovered the breach or from the time a business associate (BA) notifies the CE of a breach
- BAs must notify CEs when they discover a breach
- Breaches affecting 500 or more patient records require notice to the secretary of HHS and prominent media outlets serving a state or jurisdiction
- Breaches affecting deceased patients required notice to next of kin
- Notices must describe what occurred; details of the unsecured, breached PHI; steps to help mitigate harm to patients; and the CE's response
- Breaches of unsecure PHI affecting fewer than 500 patient records require annual notice to the secretary of HHS 60 days after the end of the reporting year
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- The Secret to Physician Engagement? It's Not Better Pay
- Two-Midnight Rule Must be Fixed or Replaced, Say Providers
- Yale New Haven Health Partners with Tenet Healthcare in CT
- Don't Underestimate Emotional Intelligence
- Care Coordination Tough to Define, Measure
- 4 Reasons PCMH Principles Aren't Going Away
- Size Matters in Antibiotic Overuse
- Evidence-Based Practice and Nursing Research: Avoiding Confusion
- CDC Warns of Antibiotic Overuse in Hospitals
- SCOTUS Review of NC Board Case 'A Very Big Deal' to Providers