The Hipaa Verstigen-notification rule, 45 CFR §§ 164,400-414, requires hipaa-covered companies and their business partners, after a violation of unsecured protected health information, to submit a notification. Loose provisions for combating violations that have been carried out and enforcedFederal Trade Commission (FTC)Apply according to Section 13407 of the Hitech Act to providers of personal health records and your service providers from third -party providers.
Definition of violation
A violation is generally an inadmissible use or disclosure in accordance with the data protection rule that affects the security or privacy of protected health information. An inadmissible use or disclosure of protected health information is regarded as a violation, unless factors:
- The type and extent of the protected health information, including the types of identifiers and the likelihood of a new identification;
- The non -authorized person who used the protected health information or for whom the disclosure was carried out;
- Whether the protected health information was actually recorded or seen; and
- To what extent the risk of protected health information was reduced.
Coped companies and business partners may have discretion in order to submit the necessary violations of violation after an inadmissible use or disclosure without carrying out a risk assessment in order to determine the likelihood that the protected health information has been impaired.
There are three exceptions from the definition of "violation". The first exception applies to the unintentional acquisition, access or use of protected health information by a labor member or a person who uses the authority of a covered company or a company if such aAcquisition, access or use in good faith and within the good belief of the authority.other person entitles the unit to participate. In both cases, the information cannot be used or passed on in a way that is not permitted by the data protection rule. The final exception applies if the covered company orBusiness partners according to faithful and believe believes that the non -authorized person, to whom the inadmissible disclosure has been made, cannot keep the information.
Unpertensioned protected health information and guidance
Covered companies and business partners may only present the necessary notifications if the violations encompassed unsecured protected health information. Unsers -proof protected health information are protected health information that cannot be decrypted for non -authorized persons using a guide specified by the secretary.
This guide was first published in April 2009 with a request for public comment. The guidelines were reissued after the public comments received and is encryption and destruction as technologies and methods for the renders of protected health information for non -authorized persons unusable or notDesignable. In this way, the guidelines also apply to unsecured personal health records identifiable health information in accordance with the FTC provisions. Discovered companies and business partners as well as the companies regulated by the FTC regulations that ensure the information provided by the guidelines, according to the provision of notificationsrelieved of this information.
Take a look at the guidelines in which the technologies and methods are given that can be used to decrypt the protected health information for non -authorized persons unusable, illegible or not.
Requirements for notification through violations
According to a violation of unsecured protected health information, covered companies must report the media to the data subject, the secretary and under certain circumstances under certain circumstances.
Covered companies must inform persons after discovering an violation of unsecured protected health information.The covered company does not have enough or outdated contact information for 10 or more people must submit the covered company to a replacement for individual announcements by either publishing the message on the start page of its website for at least 90 days or the provision of it in large printing orRadio media in which the people concerned are likely to be.in which violations were involved.
These individual notifications must be understood without inappropriately, the steps concerned should be taken to protect themselves from potential damage, a brief description of what the covered company does to examine the violation, reduce the damage and prevent further violations,as well as contact information for the covered society (or guaranteed, possibly applicable business).
With regard to a violation of or by a business partner, the covered company is ultimately responsible for the fact that the persons notified by individuals can delegate responsibility for the provision of individual messages for the business partner. Covered companies and business partners should take into account which company in the best positionIn order to give the individual a termination, which can depend on various circumstances, for example.
Covered companies in which a violation of more than 500 inhabitants of a state or a responsibility of more than 500 inhabitants is affected in addition to notification of the persons concerned, which provide prominent media for the state or the responsibility.Notification in the form of a press release for suitable media that serve the affected area probably present. As in the individual message, this media notification must not be made available in any case without inappropriate delay and after 60 days after the discovery of a violation and the same informationthat are required for the individual notification.
Notification to the secretary
In addition to notification of the data subjects and the media (possibly), covered companies have to inform the secretary about violations of unsecured protected health information. Disconnected companies will notify the secretary by visiting the HHS websiteFill out and electronic transmission of a violation report formIf a violation affects 500 or more people, covered companies have to notify the secretary without inappropriate delay and in no case after 60 days after a violation. However, if there is a violation of less than 500 people, the covered company can be the secretary annuallyInform about such violations. Reports about violations that affect less than 500 people are due to the secretary no later than 60 days after the end of the calendar year in which the violations are determined.
Notification by a business partner
If there is a violation of unsecured protected health information at or by a business partner, the business partner must notify the covered company after the discovery of the violation.possible, should the business partner provide the covered company the identification of each person affected by the violation and all other available information that must be provided by the covered entity when notification to affected people must be provided.
Administrative requirements and burden of proof
Coped companies and business partners have to show the burden that all the necessary notifications have been made or that the use or disclosure of unsecured protected health information was not a violation.Maintenance strings Probability that the protected health information was impaired by the inadmissible use or disclosure; or (2) the application of other exceptions to the definition of "violation".
Complicated companies are also obliged to meet certain administrative requirements in relation to the notification of the violation. For example, covered companies must be written guidelines and procedures for the notification of violation, employees in these guidelines and procedures must develop and apply appropriate sanctions against labor members and thisDo not adhere to guidelines and procedures.
Instructions for covered companies in order to provide the secretary of violations of notifications
A violation of the secretary
Show violations that affect 500 or more people
Violations of unsecured protected health information that affect 500 or more people.Look at a list of these violations.