As you know, HIPAA-covered entities experiencing a security breach are obligated to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, in some cases, the media. When a breach affects 500 or more individuals, the covered entity must report the incident to HHS within 60 days of discovery.
HHS, in turn, provides a brief summary of the event on its website.To date, HHS has listed private practices anonymously, identifying them only as “Private Practice.
” HHS took the position that private practices could not be specifically named on the website because they are identifiable as “individuals” within the meaning of the Privacy Act, which would potentially require the practice’s consent prior to listing it by name. Pursuant to the Privacy Act, HHS may designate its publication of breaches, including naming private practices, as a “routine use” of the information such that prior consent is not required for the publication.
Accordingly, on April 13, HHS published a Federal Register notice stating its intention to start identifying private practices by name on its breach website, designating such publication as a “routine use” of the information under the Privacy Act. Although it has yet to do so, HHS has been entitled to name private practices (both prospectively and retroactively) since May 23, 40 days from publishing its Federal Register notice.
Related Posts
Educational partnerships guarantee admission to Northeast College of Health Sciences health care programs- Theralase achieves success in destruction of listeria bacteria
- Thank You For Downloading this Special Report
- President Trump signs bill expanding chiropractors’ role in the VA
- Kent S. Greenawalt accepted into ICA fellowship
- Helping your patients sleep better to avoid chronic pain
