Patient Safety: HIPAA Compliance During EDX Documentation

Published May 05, 2025

Practice

From the Quality and Patient Safety Committee

An unencrypted portable media device was used to transfer EDX reports from an EMG laptop to a device connected to the Electronic Health Record (EHR). The device is missing at the end of the day and, despite exhaustive efforts, the device is never recovered. The clinical team estimates there were about 1,000 reports on the media device when it went missing.

Question: To comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009's Breach Notification Rule, which of the following entities must be notified following this data breach? 

A. The patients whose data was potentially on the removable storage device
B. Health and Human Services (HHS)
C. Local media outlets
D. All of the above

Explanation: 

Due to federal incentives tied to electronic health record (EHR) use and interoperability, there was a rapid integration of EHRs following the HITECH Act and the 21st Century Cures Act of 2016. In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), which provided guidelines for disclosure of protected health information (PHI) in its Privacy Rule. Subsequent additions to HIPAA included the Security Rule which expanded on those protections to electronic PHI (ePHI) and outlined the administrative, physical, and technical safeguards to protecting ePHI, and the Breech Rule, which mandated reporting measures for both accidental and deliberate events related to sharing of PHI.

In 2021, there were over 34,000 HIPAA Privacy Rule complaints to Health and Human Services. 739 healthcare data breaches affecting more than 500 individuals occurred in 2023, with well over 100 million records affected. When a data breach affects more than 500 individuals, the healthcare entity must notify the individuals involved by mail or email within 60 days, the secretary of HHS (via via https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?facesredirect=true) within 60 days, and media outlets in the localities where patients were affected. If the breach affected less than 500 individuals, the healthcare entity must notify the individuals involved as well as notify HHS within 60 days from the end of the calendar year.

ePHI security policies can vary between healthcare organizations, including policies on encryption and the use of portable media devices. You should contact your organization’s privacy officer or privacy oversight committee with any questions to your specific ePHI practices. 

Authors: Daniel Pierce, MD;  Kara Stavros, MD

Sources:

  1. Office of the National Coordinator for Health Information Technology. Adoption of Electronic Health Records by Hospital Service Type 2019–2021. Health IT Quick Stat #60. Published April 2022. https://www.healthit.gov/data/quickstats/adoption-electronic-health-records-hospital-service-type
  2. Health Insurance Portability and Accountability Act of 1996, Pub L No. 104-191, 110 Stat 1936.
  3. 45 CFR §164.314(a)(1) (2024).
  4. US Department of Health and Human Services, Office for Civil Rights. HIPAA Enforcement: Data at a Glance. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html

Related News