Welcome to the first post in our three-part HIPAA Breach series! Our healthcare and business law firm often works with medical practices to determine whether an act involving patient privacy constitutes a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requiring notification and reporting of any breach. By law, a patient’s health information can only be used and disclosed for specific reasons. When there is a risk that patient information has been accessed, used, or disclosed in a way that is not permitted, there may be a HIPAA violation. More information about the HIPAA rules can be found on our website here and the U.S. Department of Health and Human Services’ (HHS) website here. There are generally three initial steps a practice takes in the face of a potential HIPAA breach. First, performing a risk assessment to determine whether a breach, in fact, occurred. Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified. Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).
This post is the first of a three-part series on HIPAA breaches. This post explains the first step—conducting the risk assessment. Future posts will discuss the second and third steps required if the risk assessment reveals a breach occurred. Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, firstname.lastname@example.org. You may also learn more about our law firm by visiting www.hamillittle.com.
The Risk Assessment Process
Following the discovery of a potential breach, the medical practice that is the covered entity (CE) (or a business associate thereof), must gather all the facts around the incident. The unpermitted acquisition, access, use, or disclosure of PHI is a breach unless (A) the practice “demonstrates that there is a low probability that the protected health information has been compromised” or (B) an exception applies. 45 C.F.R. 164.402.
A. Evaluating the Probability that PHI Has Been Compromised
HIPAA regulations provide four factors that a covered entity or business associate must consider before deciding there is a low probability that PHI has been compromised:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated
To assist in evaluating these factors, ask questions such as:
- Which patients’ information was used, acquired, accessed, or disclosed?
- How many patients are implicated?
- What health information or individual identifiers were potentially involved?
- Who committed this potential breach and how did he/she have or gain access?
- Was it accidental or intentional?
- Is the information still unprotected or has it been reclaimed or destroyed?
- How sensitive was the information?
Before deciding not to consider an incident a breach, we recommend speaking with counsel or a HIPAA expert who can assist you in completing the risk assessment.
B. Determining if any Exception Applies
Under the HIPAA regulations at 45 C.F.R. 160.402(1), a breach excludes three scenarios: First, a good faith, unintentional acquisition, access, or use of PHI by an employee. Second, an inadvertent disclosure to another authorized person within the entity. Third, when the recipient could not reasonably have retained the data. If you believe the situation triggers any exception, there may not have been a HIPAA breach. Regardless, we recommend documenting the steps your practice took to investigate the situation and whether an exception applies. If a breach should be reported and is not, HHS will not only be concerned by the breach but also the practice’s failure to report the breach.
Stay tuned for part 2 of our series, all about notifying patients of a breach. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, email@example.com. You may also learn more about our law firm by visiting www.hamillittle.com.
*Disclaimer: Thoughts shared here do not constitute legal advice.