Section 13402 of HITECH's Subtitle D is one of the significant changes between what the HITECH Act requires and versus HIPAA did not. Providers are well advised to have a notification plan in place when (likely not if) the inevitable happens:
13402(a): Covered Entities (CE’s) must notify individuals.
13402(b): Business Associate's must notify CE’s.
13402(d): Notification must be no later than 60 days after discovery.
13402(e): Specific notification methods are required depending on the number of individuals whose PHI was breached.
13402(f): the notification must contain specific content.
13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction—as provided by HHS guidance. Methods must render PHI “unusable, unreadable, or indecipherable” to unauthorized individuals (see HIPAA Security Rule & NIST standards).
If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach.Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements.
If over 500 individuals' PHI has been compromised then the media must be notified and the Secretary of HHS as well.
Breach: “the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not be able to retain such information.”
Check out a FREE EHR Checklist. If you would like more information sign up for our FREE HITECH/HIPAA Compliance Newsletter.
