The world of health care moves fast. Hospitals, physicians and other providers must protect the confidentiality of health information in a highly regulated environment with constantly evolving technology. Learn how we can help through our guide, "A Breach, or Not a Breach? If That Is the Question, Encryption May Be the Answer
." An excerpt follows:
After the risk assessment establishes the facts related to the impermissible disclosure, the covered entity may find that one of three statutory exceptions to the definition of “breach” applies.
1. The unintended access or use of the PHI by an employee
of the covered entity, acting in good faith within the scope of
2. The inadvertent disclosure of PHI by a person who
is authorized to use PHI to another authorized person (this
exception probably encompasses situations where the
second authorized person did not actually “need to know”
the particular PHI).
3. The disclosure to a person that the covered entity believes
in good faith was unlikely to retain the information (example:
a nurse in a physician’s office accidentally gives a medical
summary to the wrong patient, who immediately sees that it
is not hers and gives it back to the nurse).
If the covered entity’s risk assessment leads to the conclusion that an exception does not apply, and that it will not be able to demonstrate that there is a low probability that the PHI has been compromised – then the definition of “breach” has been met, the notification requirements kick in, an investigation will ensue . . . and the covered entity will probably start thinking wistfully about the virtues of encryption.