Was there an impermissible use or disclosure of unsecured PHI?
This is one of the fundamental questions that needs to answered before you can determine whether or not Breach Notification has been triggered under the HITECH Act. This question has two component parts: 1) impermissble use or disclosure; and 2) of unsecured PHI. This post deals with the first component.
Essentially, what "impermissible use or disclosure" translates to is the question: "Has the HIPAA Privacy Rule been violated?" as depicted in Flowchart 4.
As you might imagine, this open ended question is difficult to answer and requires a deep understanding of the Rule even to make an educated guess. As with other complex problems, it is often helpful to break it down into smaller pieces. If you can determine that the use or disclosure was valid under the rule, then obviously you are done with the analysis. Breach Notification is NOT triggered if there has been no violation of the Rule. Flowchart 6 depicts this analysis.
Of course, this does not get you all the way home, but it does represent how you can begin attacking the problem.
Looking for a best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAAexperience?
Comments