Identifying Reportable HIPAA Breaches
Senior Compliance Attorney
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires “covered entities” to protect a person’s individually identifiable health information, known as PHI. Covered entities are defined as health care providers, health plans, and health care clearinghouses.
In the course of business, PHI may be breached. A “breach” is defined as an impermissible use or disclosure under the Privacy rule that compromises the security or privacy of an individual’s PHI. An impermissible use or disclosure is presumed to be a breach unless there is a low probability that the PHI has been compromised.
As a covered entity, you may encounter the following situations that could be considered a breach of PHI:
- Faxing, emailing, or sending PHI to the wrong recipient
- Employees discussing PHI in a public area with non-employees within hearing distance
- Leaving a computer screen unlocked with PHI displayed on a medication cart in a common hallway
- Unauthorized social media posts by employees that contain patient PHI in videos or photographs
However, before you are required to report any of these occurrences, you must follow your internal breach notification process.
Process of Identifying a Breach
1. Education of staff is crucial to identify these situations and properly report to the designated Privacy Officer.
2. Once reported, the Privacy Officer is obligated to perform and document a risk assessment to determine if the impermissible disclosures is considered a reportable HIPAA breach.
3. In performing the risk assessment, the presumption of a breach can be overcome by demonstrating there is a low probability that the PHI has been compromised based on the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
4. The Privacy Officer must also keep in mind the three exceptions to the definition of a HIPAA breach:
- The PHI was unintentionally acquired or accessed in good faith by an employee working in the scope of their role and authority;
- The PHI was inadvertently disclosed by a person authorized by the covered entity to access PHI to another authorized person at the covered entity, or organized health care arrangement in which the covered entity participates. The PHI in this case was not further used or disclosed; or
- The covered entity has a good faith belief that the unauthorized person who received the PHI would not have been able to retain the information.
5. The Privacy Officer is required to document all findings regarding the reported situation. If the Privacy Officer determines that one of the exceptions to the definition of breach applies OR that there is a low probability that the PHI has been compromised, there is no reporting requirement.
If the situation involves any of these exceptions, the situation would automatically not qualify as a breach.
When to Report a HIPAA Breach
Once the Privacy Officer has determined that an actual breach has occurred following the above outlined process, notification must be made in writing to the affected individual(s) without unreasonable delay, and no later than 60 days after a breach has been discovered. Breaches that involve 500+ individual records also require a notice to OCR and media outlets without unreasonable delay, and no later than 60 days via the HHS website.
As discussed in our recent companion article, breaches that involve less than 500 individual records must be reported to the Office of Civil Rights by March 1st. Remember, you must first go through the risk assessment process to determine if something is truly a breach before reporting.
For more information on HIPAA breaches and notification requirements, please visit the HHS website: Breach Notification Rule