Do you have a reportable data breach?
Concerned that you have a data breach?
Not everything that looks like a data breach is, in fact, a reportable data breach. Before you report a data disclosure to the US Department of Health and Human Services Office for Civil Rights (OCR), you should confirm that what you are concerned is a reportable data breach is, in fact, a HIPAA breach.
A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under HIPAA that compromises the security or privacy of the data.
Not every disclosure of PHI is a breach. There are three important exceptions.
Three data disclosures that are not considered a reportable breach:
- Unintentional Access:
An employee unintentionally accesses PHI but does not further disclose the PHI in a manner that is not permitted per the HIPAA regulations. For example, a clinician wishes to enter information in the chart for patient “John Smith”. The clinician opens the chart for patient John Smith living on Bay Ridge street instead of patient John Smith living on Reed Street. The clinician closes the chart as soon as the mistake is identified.
- Inadvertent Disclosure to Authorized Person:
An individual who is authorized to see the PHI inadvertently shares the PHI with another person in the organization. That second person does not further disclose the information in a manner that is not permitted per HIPAA regulations. For example, a technician sends lab results for the wrong patient to a physician. The physician deletes the results.
- Inability to Retain the PHI:
PHI is inadvertently disclosed to someone unauthorized to have access to the information but that person would not be reasonably expected to retain the information. For example, a clinician’s young child is on the phone while the clinician is discussing patient PHI.
Is every disclosure that does not fall into one of these three exception categories considered a reportable breach?
The regulations allow for a four factor analysis to assess the overall level of risk of compromise, to discover the extent of the data breach, and to determine whether or not notification is required. Only after this four factor analysis is completed, the hospice agency determines whether or not a breach occurred and the level of risk.
The following are the four factors:
- Factor 1: Nature and Extent of PHI Involved
What information is involved? Can the patients be identified? What personal or helath information is included?
- Factor 2: Who Accessed the Data/ to Whom was the Data Disclosed
Was the data disclosed to a person in the organization or in another HIPAA covered organization who is required to follow data privacy rules? In either of these cases, the risk is reduced as both of these types of persons are trained in HIPAA regulations.
- Factor 3: Was PHI Actually Acquired or Viewed
Was the PHI actually viewed or acquired? For example, an encrypted device with PHI is stolen but based upon forensic analysis it is determined that no one accessed the PHI. In this case, there was a risk of data breach but analysis determined that PHI was not actually acquired or viewed.
- Factor 4: To What Extent have you Mitigated the Risk
What actions have been taken to reduce the risk of PHI access. For example, has the PHI been returned to you? Have you taken steps to track down the device that was not returned by the former employee?
What should I do if a breach has occurred?
If, upon completion of the four factor analysis, it is determined that a breach has occurred, then notification is required.
Affected person must be notified and media and the state may be required to be notified as well.
If fewer than 500 persons are involved, the OCR must be notified at the end of the calendar year. Otherwise, the OCR must be notified within 60 days.
Take appropriate action
Not every disclosure of data is a breach. Investigation must be conducted to determine if the disclosure constitutes a reportable data breach. If the disclosure is a data breach then appropriate actions must be taken to report the breach to all relevant parties within the required time frames. Note that required actions may vary by state.
Where can you get more information?
- This informative podcast from Husch Blackwell contains more information on this topic: HIPAA Breaches – When It Is, and When It Is Not a Breach
- Here is a discussion in HIPAA Journal on categories of HIPAA violations and associated penalties: HIPAA violations
- Listing of top HIPAA penalties: Top HIPAA penalties