Any incident involving the impermissible use or disclosure of Protected Health Information (PHI) must be reported to the HIPAA Privacy Office upon discovery. Prompt reporting of incidents allows us the opportunity to properly investigate the matter and mitigate any potential harm to the patient/subject.
The office will work with you to determine the appropriate next steps, and whether the incident will require notification.
What constitutes an incident:
- Misdirected documents including faxes, emails and paper documents handed to or mailed to the wrong patient/recipient
- Suspected loss of document/record/log
- Unauthorized access to PHI including any access for non-business purposes
- Suspected loss or theft of devices
- Improper disposable of documents/records
- Impermissible disclosures including failure to deidentify information or a disclosure to an individual not authorized to access to PHI