Under HIPAA, a breach is any impermissible use or disclosure of protected health information (PHI) that does not fit into one of the following exceptions (45 C.F.R. §164.402):
- Unintentional access, use, or acquisition of PHI by an employee of covered entity or business associate (BA) made in good faith and would not result in further use or disclosure;
- Inadvertent disclosure from one authorized person to another authorized person;
- Disclosure where the covered entity or BA has a good faith belief that the unauthorized person who received the PHI would not likely retain the information;
- Low probability of compromise as determined by a risk assessment of the following factors:
- Nature and extent of PHI involved including likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether PHI actually was acquired or viewed;
- The extent to which risk to PHI has been mitigated.
What constitutes PHI?
PHI under the Privacy Rule is all individually identifiable health information held or transmitted by a covered entity or BA in any form or media which includes the individual’s past, present or future physical or mental health condition, the provision of health care to the individual, and past, present or future payment of health care to the individual. Individually identifiable health information includes a range of specified identifiers such as name, address, date of birth, fingerprint or full-face photograph, vehicle license, IP address etc. (45 C.F.R. §160.103)
The Risks of Unsecure PHI
The Office of Civil Rights (OCR) provides guidance for keeping PHI secure. In the event there is a breach of unsecured PHI, the covered entity is required to follow the Breach Notification Protocol. Therefore, it is critical for providers to take the appropriate safeguards for securing PHI. Below is a list of examples of unsecure PHI that increases risk of a HIPAA breach:
- Lost or stolen laptops, desktop computers, tablets, and other devices containing unsecure PHI
- Discussing patient information in public areas
- Leaving patient files in public areas
- Leaving a computer unattended in an accessible area with unsecured PHI
- Employees that inappropriately access patient information
- Sending patient information to the wrong patient
- Discussing patient information with friends, family or co-workers
- Improperly disposing of patient records
- Texting or emailing unsecure PHI
- Posting photos or information regarding patients on social media sites
- Releasing unauthorized PHI due to incomplete or invalid HIPAA forms
- Failure to adhere to expiration dates specific on HIPAA forms
- Impermissibly disclosing PHI in response to a subpoena that does not meet the requirements of the Privacy Rule
- Being the victim of a cyber attack that compromises PHI
Unfortunately, cyber attacks are on the rise. Utilizing ransom ware and phishing scams, hackers are able to victimize those with encryption, password protection, and/ or a VPN. A couple of recent breaches such as MedStar in DC and Hollywood Hospital in LA resulted in taking EHRs offline, resuming paper processes and subsequently disrupting and delaying patient care.
The Security Official has determined a breach has occurred, now what?
- The covered entity is required to notify the affected individuals of any unauthorized access, use, disclosure or acquisition without reasonable delay in writing within 60 days after discovery of breach (some states within 30 days).
- If >500 affected individuals, HHS should be notified at the same time as the affected individuals and the breach should also be reported to major media outlets in the region.
- If <500 affected individuals, HHS must be given a list of all breaches affecting under 500 individuals within 60 days of calendar year end.
- If the breach originated from a BA, the BA must notify the covered entity immediately upon discovery. The covered entity is ultimately responsible for the Breach Notification protocol, but this can be the BA’s responsibility if part of the BA Agreement. A recent $750,000 settlement for a HIPAA violation by an orthopedic practice demonstrates the need to have BA Agreements in place prior to disclosing PHI to a BA.