Nov / Dec 2022 | michigan MEDICINE® 7 Generally, all patients whose protected health information was on the thumb drive must receive written notice by first-class mail without unreasonable delay and in no case later than 60 days following the discovery of a breach including, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches. information was actually acquired or viewed by an unauthorized person; and (4) the extent to which the risk to the protected health information has been mitigated. In your case, a judgement call has to be made. There seems to be a low probability that the information has been compromised based on the fact that the thumb drive went straight to your biller’s home and appears to have been accidently thrown in the trash instead of being taken by an unauthorized person. You must document this risk assessment in writing. If you are not comfortable concluding that there is a low probability of compromise then you must determine which type of report(s) must be made. Individual notice is always required. Generally, all patients whose protected health information was on the thumb drive must receive written notice by first-class mail without unreasonable delay and in no case later than 60 days following the discovery of a breach including, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered. to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches. If there are more than 500 affected, individuals must, in addition to individual notice, provide notice to prominent media outlets. Finally, in addition to notifying affected individuals and the media (if more than 500 affected individuals), the Secretary Health and Human Services must be notified. This can be done electronically by going to the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, DANIEL J. SCHULTE, JD, MSMS LEGAL COUNSEL IS A MEMBER AND MANAGING PARTNER OF KERR RUSSELL.
RkJQdWJsaXNoZXIy MTY1NDIzOQ==