Educause Security Discussion mailing list archives
Re: Waiver of responsibility for emailed PHI
From: Chris Green <cmgreen () UAB EDU>
Date: Thu, 18 Feb 2010 09:56:58 -0600
That's a "ask your legal counsel" question. With that said, my understanding is: In our HIPAA training, if it's misrouted to someone covered by our HIPAA policies, training, etc (I mailed Dr. Green in PEDS rather than RADIOLOGY), it's incidental and not a breach and the recipient just needs to deleted. If it's sent to someone not covered (like the mystery DrGreen () yahoo com<mailto:DrGreen () yahoo com>), then it is a breach. I think your case really comes down to what did that waiver waive and could they waive that right and where in that chain did the mistake happen. Is it the recipients lack of security for their mailbox or something else? Again, back to ask your legal counsel. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mayne, Jim Sent: Thursday, February 18, 2010 9:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Waiver of responsibility for emailed PHI A question for some of you that have experience with HIPAA and the HITECH rules. If a person, or in the case of a child, a legal guardian signs a waiver allowing PHI to be communicated with them through email and later that email is misrouted, intercepted or otherwise read by someone else, is that considered a breach? Is the school responsible for reporting that as a breach? Thanks, Jim Jim Mayne Information Security Services
Current thread:
- Waiver of responsibility for emailed PHI Mayne, Jim (Feb 18)
- <Possible follow-ups>
- Re: Waiver of responsibility for emailed PHI Chris Green (Feb 18)