Michigan Agency Breaches PHI But Says Not Bound by HIPAA
I was glad to see that Health Data Management followed up on a breach where the entity said it wasn’t a HIPAA breach and had no duty to notify:
Responding to questions from Health Data Management, a Michigan Department of Community Health spokesperson said the compromised data “were not medical records and therefore, no notification under HIPAA was sent to individuals. However, because the reports contained Social Security numbers, the Identity Theft Protection Act did apply. MDCH therefore contacted individuals about the breach along with steps that could be taken to protect from the potential for identity theft.”
Determining the breach did not fall under the HIPAA breach notification rule, the department did not notify local media. The department’s Cancer Prevention and Control Section, where the information originated, is not a HIPAA-covered component of the Michigan Department of Community Health, the spokesperson notes.
Read more on Health Data Management.