Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.
The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.
Some hospitals feel that, since the risk analysis only produces subjective results, why bother? They believe that the effort and expense incurred derives no real benefit for CE or patient, and they just notify the potentially affected patient in every instance.
In my opinion, notifying the patient for each breach is a little risky in itself. Patients often have no context in which to view a breach.
For example, losing a flash drive containing unencrypted PHI on 1,000 patients entails obvious risks – the risk of someone finding and misuing the information, for example. The law rightfully requires patient notification in such cases. However, if a patient’s record is inadvertently mailed to a house number that does not exist (perhaps due to a typo which transposed two digits), chances are good that the post office will either return the records to the sender or else the package will go undelivered.
If the records are not accounted for, it is generally accepted that it should be considered a breach; however, telling the patient this may raise an alarm about something that probably will not happen. A thorough risk analysis, although subjective, might conclude that such a breach did NOT have a “substantial risk of reputational or financial harm” to the patient. This was apparently HHS’s thinking when it required the risk analysis to be conducted.
In next week’s post, we’ll cover the possible changes to the breach notification rules.