Medical Records: If You Show, You Have to Tell

You must notify patients and the U.S. Department of Health and Human Services (HHS) of “unsecured” protected health information leaks or breaches. (“Unsecured” in this context means not adhering to HHS guidance .)

Specifically, you must:

  • Notify each person affected as soon as possible within 60 days of discovery of (or within 60 days of when you should have discovered) the breach;
  • Send the following information by first-class mail, or by e-mail if that is the patient's preference:
    • Date and circumstances of the breach,
    • Date of  discovery,
    • Type of PHI involved,
    • Steps the person should take to protect himself or herself,
    • Steps you are taking to mitigate harm and protect against future breaches, and
    • How the person can obtain more information about the breach;
  • Maintain a log of breaches that affect fewer than 500 people and report them annually to HHS; and
  • If the breach affects 500 or more people, notify HHS immediately and notify relevant prominent media outlets as well. HHS will post the notification on its Web site.

 

 

 

   TMA Practice E-tips main page

Comment on this (Must be logged in to comment)

TMA Comment Policy   

Add Comment

Text Only 2000 character limit

Looking for more?