HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Requirements for notification

Email This Post Print This Post

Q. What constitutes a privacy breach that requires notification to patients? Recently, a thief broke into an employee’s car and took her address/memo book. The book contained patients’ last names only and a medical ID number, or maybe first and last names with medical ID numbers, and an occasional note regarding the care or a question the patient asked. How should we handle this?

A. The American Recovery and Reinvestment Act of 2009 (ARRA) defines a breach as an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. This incident meets the definition of a breach under ARRA.

You can find additional guidance in the interim final rule for breach notification for unsecured PHI, which became effective September 23, 2009. It remains in effect as of press time, pending issuance of a new final rule (see related story on the rule sent to OMB). The interim final rule includes a harm threshold provision, which allows an organization to omit notification of affected patients if it determines that the use or disclosure poses no significant risk of “financial, reputational, or other harm” to the individual.

Although this incident does constitute a privacy breach, you must evaluate the information contained in the address book to determine whether a significant risk of harm exists. For entries that include only the patient’s name and medical record number, the risk is probably not significant. If the notes regarding care or questions asked reveal the patient’s diagnosis, the risk may be significant.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.


  1. course work says:

    If you want to forget just about hard writing period, then you should order course work writing.

  2. I am a professor and I fight with students who buy research papers at the essay writing service. Essays they buy are really good. However, it is not their work. I do not like plagiarism and I strive to get rid of it!

  3. custom essay says:

    At the essay writing services is very easy to look for some information and essay writing about this good topic . To make better the academic career buy an essay and feel your free time!

Leave a Reply