Any incident involving the impermissible use or disclosure of Protected Health Information (PHI) must be reported to the HIPAA Privacy Office upon discovery. Prompt reporting of incidents allows us the opportunity to properly investigate the matter and mitigate any potential harm to the patient/subject.
The office will work with you to determine the appropriate next steps, and whether the incident will require notification.
What constitutes an incident:
- Misdirected documents including faxes, emails and paper documents handed to or mailed to the wrong patient/recipient
- Suspected loss of document/record/log
- Unauthorized access to PHI including any access for non-business purposes
- Suspected loss or theft of devices
- Improper disposable of documents/records
- Impermissible disclosures including failure to deidentify information or a disclosure to an individual not authorized to access to PHI
To report any suspected loss of PHI, misdirected documents containing PHI, or impermissible access/disclosure of PHI please complete the HIPAA Incident Spreadsheet and submit to email@example.com. Failure to report an incident may result in a sanction of the workforce member.