Dell.Com          1-800-WWW-Dell            Contact Us
Dell
Bookmark and Share
Insights

Personal Health Information Privacy

Privacy is an issue that has derailed previous attempts at health IT implementation and the wide-spread implementation of EHRs. In passing the legislation, Congress did increase federal privacy laws for Personal Health Information (PHI), provided a definition of a data “breach,” and outlined the steps providers or other qualified users of PHI must take in the event of a breach where PHI has been stolen, used, or viewed by a non-qualified user.

Clarifications on the definition of a breach include:

  • An unintended disclosure where a person would not reasonably be able to retain information disclosed does not constitute a breach requiring notification
  • Any inadvertent disclosures from an individual who is otherwise authorized to access protected health information at a facility

Breach notification requirements include:

  • Notify each individual whose information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of such breach
  • Exceptions to the breach notifications are for unintended acquisition, access, use or disclosure of protected health information
  • For a breach of unsecured PHI under the control of a business associate, the business associate would be required to notify the covered entity
  • Notice would be made to the Secretary and prominent media outlets serving the area in the event of a breach of more than 500 individuals
  • If the breach is fewer than 500, the covered entity would have to maintain a log of such breaches and annually submit it to the Secretary
  • The Secretary is required to issue interim final rules within 180 days of enactment on privacy provisions
  • Requires Personal Health Record (PHR) vendors and entities offering products and services through PHR vendor’s Web sites, upon discovery of a breach of security of unsecured PHR information, to notify the individuals and the Federal Trade Commission
  • Legislation amends HIPAA to permit OCR to pursue an investigation and the imposition of civil monetary penalties against an individual for an alleged criminal violation of the Privacy and Security Rule of HIPAA, if the DOJ has not prosecuted (once regulations were issued on the provision)

The law also prohibits the sale of PHI by a covered entity or business associate without patient authorization (except in specified circumstances) and outlines the civil and criminal penalties that can be imposed for the unlawful use of PHI.

 

Request Information



© 2010 Dell