Professional Documents
Culture Documents
Broadly, this means that if you use or receive PHI, then you are either a covered entity or a business associate
Signed into law on February 17, 2009 Provides for the adoption of electronic health records Also adds new breach provisions
"the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information"
HITECH Breach
HITECH Breach
Covered Entity Business Associate Subcontractor Requirements Investigate, give notice, reprimand, record/notify Secretary of Health and Human Services If over 500 individuals affected, then must report to the Secretary
As of September 26, 2011, 330 reports (several organizations more than once), impacting more than 11 million records
Only provide the required notification if the breach involved unsecured protected health information
Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance
Guidance available:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificatio nrule/brguidance.html (and is to be updated annually) Data at Rest: NIST Data in Motion: