Sentences with phrase «unsecured phi»

Reporting: BirdEye shall report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware;

«Unsecured PHI» shall have the same meaning given to such term under the HITECH Act and any guidance issued pursuant to this act.

A security breach notification only applies to «unsecured PHI».

The OCR enforces the HIPAA Privacy Rule, which protects the privacy of PHI; the HIPAA Security Rule, which sets national standards for the security of electronic PHI; and the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured PHI.

As provided in the HIPAA Breach Notification Rule, covered entities, upon discovery of a breach of unsecured PHI, may have up to three separate notification obligations, depending upon the number of affected individuals:

We are required to notify you in writing of any breach of your unsecured PHI without unreasonable delay, but in any event, no later than 60 days after we discover the breach.

The comments in the Proposed Rule listed examples of willful neglect as: (1) disposal of a hard drive in an unsecured dumpster where the covered entity failed to implement policies and procedures to safeguard PHI during the disposal process; (2) failure to respond to an individual's request for restriction of the uses of PHI where the covered entity did not have any policies and procedures in place for consideration of the request for restriction; (3) a covered entity's employee loses a laptop that contains unencrypted PHI and the covered entity feared for its reputation if the incident became public and decided not to provide the appropriate notification.7

Examples of «willful neglect» from the comments in The Federal Register help define the term: (1) disposal of a hard drive in an unsecured dumpster where the covered entity failed to implement policies and procedures to safeguard PHI during the disposal process; (2) failure to respond to an individual's request for restriction of the uses of PHI where the covered entity did not have any policies and procedures in place for consideration of the request for restriction; (3) a covered entity's employee loses a laptop that contains unencrypted PHI and the covered entity feared for its reputation if the incident became public and decided not to provide the appropriate notification.5 In each of the examples, the covered entity had actual or constructive knowledge of the violations.

The U.S. Department of Health and Human Services («HHS») Office of Civil Rights («OCR») recently announced its first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information («PHI»).

PHI that is not encrypted or completely destroyed is considered «unsecured» by HHS.

Covered entities are required to report any breach of unsecured protected health information («PHI») to the Secretary of the U.S. Department of Health & Human Services, Office of Civil Rights («OCR»).