What is a Breach?
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.What is an example of a breach PHI?
- An employee accesses the record of a patient outside the performance of their job duties.
- An unencrypted laptop containing PHI is lost or stolen.
- PHI is sent to the wrong fax, mailing address, an email address or printer.
- Generally speaking, your institution’s HIPAA compliance officer will need to be notified of all suspected breaches immediately upon discovery of the breach.
- The HIPAA officer determines if there exists a reportable breach.
- If a reportable breach of PHI has occurred your institution’s HIPAA compliance office handles the notification.
- Every individual whose unsecured PHI has been breached must be notified in writing as soon as feasible and within a 60 day period.
- Breaches are required to be reported to Health and Human Services (HHS).
- If less than 500 individuals are affected: log and report annually. If more than 500 individuals are affected: HHS must be notified at the same time the patient is notified. The media must also be notified.
How can Clinical Chaplains help prevent breaches of PHI?
Be alert about your responsibilities to protect PHI while carrying out your tasks. Take special care in these situations:
- When faxing be sure to always use your institution’s official fax cover sheet and reconfirm the recipient’s fax number before transmittal.
- Do not put PHI, including patient stickers and medication labels, in regular trash. Shred or place in privacy bins for special disposal.
- When retrieving information from the printer or faxing PHI determine each page corresponds to the correct patient
- Double check the name of the patient before you put information in the envelopes for mailing.
- Log off your computer prior to stepping away from it.
- Use password protection and encryption features for your Blackberry, cell phone and other mobile devices such as thumb drives and CDs.
- Only store PHI on mobile devices when absolutely necessary for your institution’s business purposes and delete as soon as feasible.
- Encrypt any email containing PHI sent outside your institution.
- Never share your password or use someone else’s sign on information as this could lead to you being disciplined by your institution.
For further information on the new HIPAA standards follow the link below: