Patient  Confidentiality and HIPAA Guidelines

All security breaches must be reported to Centers for Medicare & Medicaid Services (CMS)

Attention all Dialysis and Transplant Facility Personnel

Communication through email correspondence is the standard for most facilities in the Network. Recently, the Network has seen an increase in the number of emails that we receive which contain confidential patient specific information. Please be advised that email correspondence to the Network IS NOT SECURE and does not meet the guidelines established by the Health Insurance Portability and Accountability Act (HIPAA) for transmission of identifying or protected health information (PHI). Per the Centers for Medicare and Medicaid Services (CMS), this is classified as a security incident and must be reported to CMS by the Network office.

As per CMS guidelines, if we receive PHI on any patient via email, this breach must be reported to the sender and the facility administrator via email, and to CMS through the use of the CMS Quality Log of Incident Handling Actions. An investigation will be done by a designated CMS QualityNet (QNet) security staff member. Depending on the type and severity of the incident, internal grievance procedures and/or external agencies will be notified as required by law. Upon receipt of your copy of this log, it is your facility’s responsibility to notify your organization’s HIPAA compliance officer, and to follow the guidelines established by your institution to comply with HIPAA mandates.

Please note that you can use QualityNet as a CMS-approved method of submitting patient specific information to the Network. If your facility does not already have a QualityNet user account and would like to have one, contact the QualityNet Help Desk at 1.866.288.8912 or They will be able to assist you in setting up an account so that you can use the internet to submit information to the Network.

QualityNet Users(HHS)

United States Department of Health and Human Services (HHS)