HIPAA Breach or Not? When the OCR Must be Informed?
The Health Insurance Portability and Accountability Act lays down the procedures which must be followed after covered entities (CEs) discover that hackers have gained access to networks, laptops containing unencrypted PHI have been lost or stolen or members of staff have been found to have accessed patient health records without authorization. But how can you tell if your incident is a HIPAA breach or not?
When the OCR must be informed of a Data Breach
Not all data breaches are HIPAA breaches and not all HIPAA breaches involve data breaches. So, when should the OCR be informed and how should a data breach be classified?
The Omnibus Rule made a number of amendments to terminology and definitions in HIPAA. The Breach Notification Rules were not amended, so the response to breaches remains the same as before, but additional elements were changed, most importantly relating to how a breach is reviewed.
The change places a requirement on the CE to determine the level of risk that exists after a breach has occurred, and to conduct a thorough risk assessment to determine if PHI has potentially been compromised. While the current focus is on electronic health records, these rules also apply to physical records such as paper files and x-rays.
The decision about whether or not to report a data breach should only be made after considering these four factors:
Assessing a Potential HIPAA Data Breach
- The organization must determine the types of personal identifiers and PHI that were exposed in the incident, and could potentially be viewed by an unauthorized individual
- The organization must identify, as far as is possible, who was responsible for the breach, who viewed or accessed PHI, and whether they were authorized to do so
- Determine whether the PHI was stolen or actually viewed
- Determine whether a risk remains or if potential damage has been mitigated
According to the Department of Health and Human Services’ Office for Civil Rights Website, “Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised,”
Not all data is equal
While all patient healthcare data, including personal identifiers, should be kept private and confidential, the exposure of some information is more serious than others. Social Security numbers, for instance, can be used to commit medical fraud if they are compromised along with personal identifiers such as names and addresses.
The CE must therefore determine whether sensitive information has been released. If Social Security numbers, healthcare data – such as medical histories and test results – along with personal identifiers has been compromised this is reportable to the OCR
Who accessed the information?
Was it a doctor checking the record of a friend or a hospital employee copying the entire database with the intention of selling the data on? What is the level of risk posed by the accessing of PHI? Was it with malicious intent or simply an innocent mistake? Was a business associate responsible? These are all questions that need to be asked.
The extent of the data breach
The level of risk increases with the number of people who potentially have accessed the PHI. CEs must determine if the data was actually viewed, whether the data was protected – with passwords – where the data was stored and the likelihood of it being found. Could PHI potentially be divulged?
Does any risk remain?
In many cases, the risk of exposure of the data will be very low. In others, such as in the case of a stolen laptop, the risk of the PHI being viewed may be considerable. An accurate assessment should be made of the risks that existed and remain.
Should I Report the Matter as a HIPAA Breach or Not?
There are exceptions, so not all data breaches are HIPAA violations. If data is lost, or the device on which it is stored is stolen, and that data is encrypted, it will not be a HIPAA violation unless the security keys were also stolen or otherwise compromised in the incident.
The unintentional acquisition of PHI by an employee “acting under the authority of a covered entity or business associate,” does not constitute a HIPAA breach, even if the PHI is accessed, provided it is done in good faith.
When a person authorized to view PHI inadvertently discloses data at a covered entity or business associate, to another person authorized to access the data. Provided that data is not subsequently used in a way that violates the HIPAA Privacy Rule it is not a reportable violation.
Finally, “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information” there may be no violation.
Any HIPAA breach that is not reported to the OCR, or is reported after the 60-day reporting limit, will be a violation and could incur a penalty, as will the failure to report a data breach that is covered under HIPAA Regulations.