HIPAA’s Breach Notification Rule (45 CFR §§ 164.400-414) stipulates that covered entities must notify individuals whose information may have been compromised in a breach. But what does that mean exactly?
To help covered entities understand their obligations under the Breach Notification Rule, the Department of Health & Human Services (HHS) provides some guidelines. Generally speaking, a breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information (PHI).”
To further understand whether a breach has occurred, covered entities should examine how the facts surrounding the potential breach align with the following four factors:
Four Factors that define a HIPAA Breach
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification: Some forms of PHI are more easily identifiable as belonging to a particular patient than others. A doctor’s notes that include a person’s first and last name, for example, are presumably clearly identifiable and more likely to indicate a breach. If a small anonymized dataset is disclosed from which an observer might infer a match between a specific record and a particular identifiable individual, then the risk of a breach may be considered lower. Furthermore, a record that indicates specific medical conditions such as mental health issues or sexually transmitted diseases would receive a higher risk assessment than one which provides information that might otherwise be publicly available. The more information that is disclosed, the higher the risk that the patient might be identified. A risk assessment should also take into account the total number of PHI records breached.
- The unauthorized person who used the protected health information or to whom the disclosure was made:If the PHI was obtained by another healthcare organization that is bound by HIPAA’s Privacy Rule, then the severity of a breach may be diminished considerably. That would include covered entities such as health insurance companies, HMO’s, or other medical practices. If, on the other hand, information was disclosed to hackers, members of the public, or family members who are not otherwise authorized to have access to the patient’s PHI, then the risk is substantially higher that a breach has occurred.
- Whether the protected health information was actually acquired or viewed: If the information was actually received and viewed by an unauthorized party, then it is more likely to be considered a breach of the HIPAA Privacy Rule. If, on the other hand, an individual receiving the information deleted or otherwise destroyed the information before looking at it, then the severity of the potential breach is lessened. It’s important to note that even when PHI is accessed by accident, a breach may still have occurred. If an e-mail containing PHI is accidentally sent to the wrong address, for example, and the recipient opens it and views confidential information, HHS would consider that a breach has taken place.
- The extent to which the risk to the protected health information has been mitigated: An overall breach assessment is also affected by the degree to which an organization has taken measures to mitigate risk. For example, it’s important to ask all third-party contractors top sign confidentiality agreements. In the case of service providers such as e-mail hosting companies or secure cloud fax services a well-crafted Business Associate Agreement (BAA) is essential.
3 Exceptions to a HIPAA Breach
Fortunately, covered entities are protected from overzealous application of the HIPAA Privacy Rule in three specific instances:
- Unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate. This exception only applies if the access to PHI was made in good faith, and within the person or organization’s scope of authority. This is one more reason to have a signed BAA in place with every service provider who might have access to PHI, and signed confidentiality agreements with all consultants or contractors.
- Inadvertent disclosure of PHI to another person authorized to access protected health information at the same covered entity or business associate. In other words, if PHI is accidently revealed to someone in the organization who is also bound by HIPAA’s Privacy Rule, then the exception applies, and no breach has taken place.
- The covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information. If test results are mailed to a patient at the wrong address, for example, but the envelope was returned unopened, then it is presumed that a breach did not occur because the unauthorized recipient did not retain the information.
By understanding the nuances of what defines a HIPAA breach, healthcare organizations will be better equipped to respond quickly and effectively when an incident occurs.
The best defense, of course, is a proactive approach to protecting PHI from unauthorized disclosure in the first place. By adhering to strict policies and procedures, training staff, and having signed BAAs or confidentiality agreements in place, you’ll be better equipped to defend your organization if an adverse event occurs.