Health Breach Notification Rulemaking #541358-00007

Submission Number:
R. Sargent
Initiative Name:
Health Breach Notification Rulemaking
In regards to Health Breach Notification: Please clarify as to whether incidental releases of a patient's medical record, whereby one patient's PHI is released with another patient's medical records or the incorrect patient's medical records are released are considered a notifiable breach. Example 1: A page of patient b's record was misfiled and is in patient a's chart (paper and or electronic), and patient b's page is inadvertently released to an insurance company, attorney, other provider, etc. that is requesting patient a's records with a signed authorization from the patient. The incident is reported by the receiver of the information, and the page(s) of record on patient b are returned or shredded. Example 2: A company is requesting information for a patient and receives records on the wrong patient (same name different date of birth). Again the information is reported by the receiver, and records are returned or destroyed. Are these types of incidental releases considered a breach of PHI, and would this incidental release need to be reported to the FTC or is the reporting to the FTC only required when persons of 500 or more are affected?