This post is the first of a three-part series on HIPAA breaches. This post explains the first step—conducting the risk assessment. Future posts will discuss the second and third steps required if the risk assessment reveals a breach occurred. Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com. You may also learn more about our law firm by visiting www.littlehealthlaw.com.
The Risk Assessment Process
Following the discovery of a potential breach, the medical practice that is the covered entity (CE) (or a business associate thereof), must gather all the facts around the incident. The unpermitted acquisition, access, use, or disclosure of PHI is a breach unless (A) the practice “demonstrates that there is a low probability that the protected health information has been compromised” or (B) an exception applies. 45 C.F.R. 164.402.
A. Evaluating the Probability that PHI Has Been Compromised
HIPAA regulations provide four factors that a covered entity or business associate must consider before deciding there is a low probability that PHI has been compromised:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated
To assist in evaluating these factors, ask questions such as:
- Which patients’ information was used, acquired, accessed, or disclosed?
- How many patients are implicated?
- What health information or individual identifiers were potentially involved?
- Who committed this potential breach and how did he/she have or gain access?
- Was it accidental or intentional?
- Is the information still unprotected or has it been reclaimed or destroyed?
- How sensitive was the information?
Before deciding not to consider an incident a breach, we recommend speaking with counsel or a HIPAA expert who can assist you in completing the risk assessment.
B. Determining if any Exception Applies
Under the HIPAA regulations at 45 C.F.R. 160.402(1), a breach excludes three scenarios: First, a good faith, unintentional acquisition, access, or use of PHI by an employee. Second, an inadvertent disclosure to another authorized person within the entity. Third, when the recipient could not reasonably have retained the data. If you believe the situation triggers any exception, there may not have been a HIPAA breach. Regardless, we recommend documenting the steps your practice took to investigate the situation and whether an exception applies. If a breach should be reported and is not, HHS will not only be concerned by the breach but also the practice’s failure to report the breach.
Stay tuned for part 2 of our series, all about notifying patients of a breach. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com. You may also learn more about our law firm by visiting www.littlehealthlaw.com.
*Disclaimer: Thoughts shared here do not constitute legal advice.