![]() This would likely fall within the exception. The employee unintentionally accesses claims information for an employee related to the medical plan (e.g., because an internal systems error) despite no plan-related need to know that claims information. Unintentional Access/Use of PHI by Workforce Member: If a person acting under the authority of a covered entity or business associate unintentionally acquires, has access to, or uses PHI while acting in good faith and within the scope of that authority, this mistaken access by a workforce member will not rise to a HIPAA breach as long as the mistake does not result in further impermissible uses or disclosures of PHI.Įxample: A People Ops employee within the HIPAA firewall is tasked with plan administrative functions for the dental and vision plan. The regulations carve out three specific situations where there is no HIPAA breach despite the impermissible use or disclosure of unsecured PHI: Given the presumption of a breach in the revised HITECH Act regulations, it is difficult for a covered entity or business associate to come to the conclusion that a breach has not occurred where there has been an impermissible use or disclosure of unsecured PHI.ĭetermining Whether a Breach Has Occurred: The Three Exclusions from Breach The extent to which the risk to the PHI has been mitigated. Whether the PHI was actually acquired or viewed and The unauthorized person who used or had access to the PHI The nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification) The risk assessment must be based on at least the following factors: This analysis is referred to as the risk assessment. ĭetermining Whether a Breach Has Occurred:** The Risk Assessment**Īn impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised. For more details, see our Newfront Office Hours Webinar: HIPAA Training for Employers. Enrollment/disenrollment information held by the covered entity in its role as employer is considered an employment record that is not PHI, provided such records do not include any substantial clinical information. Important Note: The exclusion of enrollment/disenrollment information from the definition of PHI subject to HIPAA protection significantly limits the scenarios where a breach may occur. HHS has a useful guide to encryption standards for this purpose here: PHI is considered “unsecured” where it is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of encryption (or destruction). PHI is individually identifiable health information maintained or transmitted by a covered entity or business associate. Ī HIPAA breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information (PHI) in a manner not permitted, which compromises the security or privacy of the PHI. Typical employer-sponsored group health plans subject to these HIPAA privacy and security rules include:įor more details, see our Newfront Office Hours Webinar: HIPAA Training for Employers. Health Care Providers (transmitting health information electronically)- Doctors, nurses, hospitals, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc. Health insurance carriers (including HMOs)****- Government health programs (Medicare, Medicaid, IHS, TRICARE, etc.) Health Plans- Employer-sponsored group health plans ![]() The HIPAA privacy and security rules apply to the following Covered Entities: Reminder: HIPAA Privacy and Security Rules Apply to “Covered Entities” **Short Answer: **Once the employer determines that a breach of unsecured PHI has occurred in a self-insured health plan, HIPAA requires notice to the affected individuals, HHS, and in some cases the media depending on the scope of the breach. **Question: **How do employers determine whether a HIPAA breach has occurred, and what are the employer’s breach notification obligations?
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |