I Think A HIPAA Breach May Have Occurred. What Do I Do Now?
If the practice discovers that a potential
breach has occurred the practice will need to determine the extent to which
protected health information (PHI) has been compromised, if at all, and whether
notification is required.
Only the practice’s HIPAA privacy and security officer/s can make the
determination that a breach has, or has not, occurred - and only after a fact
specific risk assessment
investigating the breach has taken place. The practice should notify
their risk management department at their liability carrier and seek legal
guidance from their attorney/s regarding how such a risk assessment is to be
conducted in their practice. And what further steps, if necessary, must
take place.
Risk Assessments -
examples of things to consider:
Risk Assessment under the Final Rule requires consideration of at least
these four factors:
- The nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification;
- The
unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or
viewed; and
- The
extent to which the risk to the PHI has been mitigated
Factor 1:
Evaluate the nature and the extent of the PHI involved, including types of
identifiers and likelihood of re-identification of the PHI –Social security
numbers, credit cards, financial data (risk of identity theft or financial
fraud) –Clinical detail, diagnosis, treatment, medications –Mental health,
substance abuse, sexually transmitted diseases, pregnancy
Factor 2:
Consider the unauthorized person who impermissibly used the PHI or to
whom the impermissible disclosure was made –Does the unauthorized person who
received the information have obligations to protect its privacy and security?
–Does the unauthorized person who received the PHI have the ability to
re-identify it?
Factor 3:
Consider whether the PHI was actually acquired or viewed or if only the
opportunity existed for the information to be acquired or viewed
–Example: Laptop computer was stolen, later recovered and IT analysis
shows that the PHI on the computer was never accessed, viewed, acquired,
transferred, or otherwise compromised, the entity could determine the
information was not actually acquired by an unauthorized individual, although
opportunity existed
Factor 4:
Consider the extent to which the risk to the PHI has been mitigated
–Example: Obtaining the recipient’s satisfactory assurances that the
information will not be further used or disclosed (through a confidentiality
agreement, etc.) or will be destroyed (if credible, reasonable assurance)
Evaluate the overall probability that the PHI has been compromised by
considering all the factors in combination (and more, as needed)
Risk assessments should be:
- Thorough,
- Completed in good faith, and
- Conclusions should be reasonable
If evaluation of the factors fails to demonstrate that low probability
that the PHI has been compromised, breach notification is required
A Covered entity or business associate has the discretion to provide the
required notifications following an impermissible use or disclosure of
protected health information without performing a risk assessment
Also, see the US HHS Office of Civils Rights
website for information on the breach notification rule: http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
The most current version of TMA’s Policies and Procedures: A Guide for
Medical Practices has an extensive section on HIPAA Privacy and Security
including sample notification letters and policies and procedures relating to
risk assessments: www.texmed.org/policiesandprocedures
Links to tools, resources, and information related to HIPAA can be found
on the TMA website here: www.texmed.org/hipaa
Also, US HHS Office of Civil Rights has published a very informative
Guide to Privacy and Security of Electronic Health Information: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
NOTICE: The Texas Medical Association provides this
information with the express understanding that 1) no attorney-client
relationship exists, 2) neither TMA nor its attorneys are engaged in providing
legal advice and 3) that the information is of a general character. This is not a substitute for the advice
of an attorney. While every effort is made to ensure that content is
complete, accurate and timely, TMA cannot guarantee the accuracy and totality
of the information contained in this publication and assumes no legal
responsibility for loss or damages resulting from the use of this content. You
should not rely on this information when dealing with personal legal matters;
rather legal advice from retained legal counsel should be sought.