In North Carolina, if a covered entity experiences a breach of unsecured PHI, they must notify the individuals whose PHI has been breached, the Department of Health and Human Services, and, in some instances, the media. The covered entity must also document the breach, the individuals affected, and the actions taken in response to the violation.
What is a breach?
- An unauthorized acquisition, use, or disclosure of Public Health Information (PHI), such as when someone intentionally accesses PHI without authorization. If malicious intent (see explanation below) can be proven, the employee is subject to criminal penalties.
- Unintentional acquisition, access, or use of PHI. A good example is if an employee accesses and discloses the information of a patient with the same name as another patient.
- Inadvertent disclosure of PHI accidentally viewing information, whereas you unknowingly disclosed PHI, most likely in an email. In this case, you would want to inform the unintended recipient to disregard the email.
What is the reporting procedure?
The reporting procedure for a HIPAA breach in North Carolina will vary depending on the specific circumstances of the breach. Notify affected individuals of the breach as soon as possible and no later than 60 days after the breach’s discovery. The notification must include a description of the breach, the type of information involved, and steps individuals can take to protect themselves from potential harm. You should also notify the Department of Health and Human Services (HHS) of the breach. This can be done by submitting a report through the HHS’ Office for Civil Rights (OCR)’s online reporting portal.
What happens after my organization reports the breach?
- Once the breach has been reported, state officials will contact your organization to mitigate, collect any additional information, and review any potential next steps if the breach needs to be escalated to the federal level.
- You are required to notify anyone impacted by the breach – the patients whose PHI was compromised and anyone who may have accessed information that was not their own. Patients have a right to file a complaint at the county, state, and federal levels. If the breach affects more than 500 residents of North Carolina, the covered entity must also provide notice to prominent media outlets serving the state.
- Document the breach, the individuals affected, and the actions taken in response to the breach. If the breach impacted less than 500 people, you must notify each individual impacted by providing a breach notification letter.
It’s important to note that if a covered entity believes that a breach of PHI has occurred, they should immediately contact their legal counsel and/or compliance officer to ensure that they are in compliance with all state and federal laws.
Recovering from a HIPAA breach can be a complex process and will depend on the specific circumstances of the breach. In addition to costing your practice time and money, it will also cost you patient trust. Schedule a HIPAA risk assessment with Tego today to minimize your risk of a breach.