Breach Under HIPAA May Have Occurred: Am I Required to Notify?
As you may know, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) imposes standards for the use and disclosure of protected health information (“PHI”) through its privacy rule (“Privacy Rule”) and imposes standards for the protection of electronic PHI through its security rule (“Security Rule”). As of September 2009, entities covered by HIPAA, including health plans and health care providers (“covered entities”), must notify individuals when their “unsecured” PHI (PHI that is unencrypted) has been breached.
A breach exists if there is an acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, and such action compromises the security or privacy of the PHI.
The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) includes three exceptions to the definition of “breach,” which include situations where a violation of the Privacy Rule has occurred, but the violation is not to be considered a breach. Those include:
- A breach excludes any unintentional acquisition, access or use of PHI by a workforce member (including volunteer or trainee) or person acting under the authority of a covered entity or business associate, if the acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.
- A breach excludes inadvertent disclosures of PHI from a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.
- Also exempted are disclosures of PHI where a covered entity or a business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
… a breach is presumed unless, through a risk assessment, the covered entity determines that there is a Low Probability that the data has been Compromised (‘LoProCo’).
If it is established that the acquisition, access, use or disclosure of PHI violates the Privacy Rule, and that the breach does not meet any of the three regulatory exceptions, a breach is presumed unless, through a risk assessment, the covered entity determines that there is a Low Probability that the data has been Compromised (“LoProCo”). To make this determination, the U.S. Department of Health and Human Services (“HHS”) provides that covered entities and business associates must conduct a risk assessment, taking into consideration, among other things, the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- Who was the unauthorized person who received or accessed the PHI;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
For example, assume that a hospital sends a fax with patient medical information to the wrong fax number outside of the hospital. In performing this analysis, the covered entity should:
- Determine whether the PHI – the medical information – identifies the patient, which it is likely it does;
- Consider who received the fax. Was it sent to another covered entity that also has confidentiality requirements, which would be viewed as favorable? Or was it sent to a local business that does not have confidentiality requirements?;
- Determine whether or not the PHI was actually acquired or viewed or whether there was an opportunity for the PHI to be acquired or viewed. The probability of compromise is lower if only the opportunity existed for the PHI to be acquired or viewed but the PHI was not actually acquired or viewed. However, the covered entity should presumed that the fax was viewed unless further information provides that there was no opportunity to view or acquire the information and;
- Mitigate the breach by requesting that the recipient either return or destroy the information.
If the covered entity makes the determination through an in-depth LoProCo analysis that the breach of the PHI does not pose a significant risk of financial, reputational or other harm to the individual, then no breach notification is required. As matter of prudent business practice, the covered entity should always document their risk assessments in order to demonstrate, if necessary, that no breach notification was required.