Did the incident involve a use or disclosure of unsecured PHI that violated the HIPAA Privacy Rule?
HHS has defined breach to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. The Privacy Rule establishes an elaborate framework for permissible uses and disclosures of PHI. As a general rule, PHI may not be used or disclosed without the individual’s prior written authorization. However, the Privacy Rule contains a laundry list of exceptions to this general rule. Consequently, covered entities often may be required to scrutinize the Privacy Rule to determine whether a breach occurred. • Does the Privacy Rule violation fall within one of the exceptions to the notification requirements? HHS has carved several, relatively narrow situations from the notification obligation: (a) when a workforce member authorized to access PHI inadvertently accesses PHI that is not within the scope of the authorization — for example, when a benefits administrator responsible for certain divisions of a large corporation inadvertently reviews PHI for employees of a division that
Related Questions
- Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI?
- What are a covered entitys obligations under the HIPAA Privacy Rule with respect to PHI held by a business associate during the contract transition period?
- Does the HIPAA Privacy Rule address when a person may not be the appropriate person to control an individuals PHI?
