4 Steps to Assess a Possible HIPAA Data Breach
The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorized access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.
There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorized to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:
- PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
- Unauthorized Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
- Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
- Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.
If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:
- Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
- Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.
With the lower “bar” for a breach and the documentation standards, your practice needs to maintain appropriate procedures, train employees, and enforce your policies to minimize the risk of impermissible uses and disclosures. In order to monitor evolving issues and avoid future problems: Review each data breach to determine if changes to policies and procedures need to be made as well as remedial training to avoid future breaches.
On a periodic basis review the impermissible use and disclosures for trends and issues that may require adjustments to your HIPAA compliance strategy. Indeed, continuing incidents that are not breaches could indicate a serious weakness that could lead to a breach. For example, continuing loss and recovery of EHR backups could indicate the need to change the backup procedures or strategy. Breaches can cost you money and undermine the confidence of your patients in the confidentiality of their PHI. With the lower breach trigger and the documentation requirement for your analysis to determine if a breach has occurred, you need to work to avoid breaches as well as impermissible uses and disclosures.