Not all data breaches are HIPAA breaches and not all HIPAA breaches include data breaches. So, when should the OCR be contacted and how should a data breach be classified?
The Omnibus Rule made a number of alterations to terminology and definitions in HIPAA. The Breach Notification Rules were not changed, so the response to breaches remains the same as previous, but additional elements were changed, most importantly regarding to how a breach is reviewed.
The change places an obligation on the CE to determine the level of risk that exists after a breach has happened, and to carry out a thorough risk assessment to determine if PHI has potentially been compromised. While the current focus is on electronic health records, these rules also relate to physical records such as paper files and x-rays.
The decision about if you should report a data breach or not can only be made after considering these four factors:
Reviewing a Potential HIPAA Data Breach
- The group must determine the types of personal identifiers and PHI that were exposed in the incident, and could potentially be seen by an unauthorized individual
- The group must identify, as far as is possible, who was to blame for the breach, who viewed or accessed PHI, and whether they were authorized to do so
- Decide whether the PHI was stolen or actually seen
- Decide whether a danger remains or if potential damage has been mitigated
The Department of Health and Human Services’ Office for Civil Rights Website states that: “Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised,”
Not all data is the same
While all patient healthcare data, including personal identifiers, should alway be private and confidential, the exposure of some information is more significant than others. Social Security numbers, for instance, can be used to commit medical fraud if they are compromised in tandem with personal identifiers such as names and addresses.
The CE must therefore decide whether sensitive information has been accessed. If Social Security numbers, healthcare data – including medical histories and test results – along with personal identifiers has been compromised this is reportable to the OCR
Who obtained the information?
Was it a doctor reviewing the record of a friend or a hospital worker copying the entire database with the aim of selling the data on? What is the level of danger posed by the accessing of PHI? Was it with malicious intent or simply an innocent error? Was a business associate to blame? These are all questions that need to be addressed.
The range of the data breach
The level of risk heightens with the number of people who potentially have obtained the PHI. CEs must decide if the data was actually obtained, whether the data was safeguarded – with passwords – where the data was saved and the chances of it being found. Could PHI potentially be distributed?
Does any risk persist?
In many instances, the danger of exposure of the data will be minimal. In others, such as in the case of a stolen laptop, the danger of the PHI being viewed may be considerable. An accurate assessment should be made of the dangers that existed and remain.
Should I Report it a HIPAA Breach or Not?
There are exceptions to all of this, so not all data breaches are HIPAA breaches. If data is taken, or the device on which it is saved is stolen, and that data is encrypted, it will not be a HIPAA breach unless the security keys were also stolen or otherwise compromised in the attack.
The unintentional acquisition of PHI by a worker “acting under the authority of a covered entity or business associate,” does not equate to a HIPAA breach, even if the PHI is accessed, provided it is done in good faith.
When a person permitted to view PHI inadvertently discloses data at a covered group or business associate, to another person authorized to access the data. If that data is not subsequently used in a way that breaches the HIPAA Privacy Rule it is not a reportable incident.
Lastly, “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information” there may be no data breach.
Any HIPAA breach that is not made known to the OCR, or is reported after the 60-day reporting period, will be a violation and could incur a penalty, as will the failure to report a data breach that is included in HIPAA Regulations.