Through our Incident and Breach Support Service, we provide resources that allow users to determine whether a HIPAA privacy or security incident is a “breach of unsecured PHI” that must be reported to individuals, HHS, or the media. Our Incident Response Team meets with users to go over general questions users have about both the tools and the reporting process. The IBSS does not constitute legal advice or a legal service.
Overview of Compliancy Group Resources for Incident and Breach Support Service
Under the HIPAA Breach Notification Rule, breaches of unsecured PHI must be reported to affected individuals, the Department of Health and Human Services (HHS), and in some cases, prominent media outlets. Compliancy Group provides users with a series of guidance tools. These guidance tools allow the client to determine whether it has sustained a privacy or security incident that constitutes a breach of unsecured PHI, and if so, whether the breach must be reported.
Please note that Compliancy Group does not provide legal advice.
What is a “Breach”?
§ 164.402 of the HIPAA Breach Notification Rule defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA Privacy Rule], which compromises the security or privacy of the protected health information.”
Unsecured protected health information means protected health information that "is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5." (Click here to view a job aid that explains the definition of unsecured protected health information in greater detail).
There are exceptions to what is considered a "breach." These are:
1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was (1) made in good faith and within the scope of authority, and (2) does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity. Similarly, to determine whether the access, acquisition, or use was made “within the scope of authority,” the covered entity or business associate should consider whether the person was acting on its behalf at the time of the inadvertent acquisition, access, or use.
Here is an example that illustrates the exception:
A billing employee receives and opens an e-mail containing protected health information about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected e-mail, and then deletes it. The billing employee unintentionally accessed protected health information to which he was not authorized to have access. However, the billing employee’s use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.
In contrast, a receptionist at a covered entity who is not authorized to access protected health information decides to look through patient files in order to learn of a friend’s treatment. In this case, the impermissible access to protected health information would not fall within this exception to breach because such access was neither unintentional, done in good faith, nor within the scope of authority.
2. Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
For example, no notification is required if a medical staff member mistakenly discloses PHI to the wrong nurse at a facility but the nurse does not further use or disclose the PHI improperly.
3. A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Here are some examples that explain this exception:
A covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals. A few of the EOBs are returned by the post office, unopened, as undeliverable. In these circumstances, the covered entity can conclude that the improper addressees could not reasonably have retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.
As another example, a nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and recovers the protected health information from the patient. If the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, then this would not constitute a breach.
What is the Significance of a Breach of Unsecured PHI?
It is breaches of unsecured protected health information that must be reported – to patients, to HHS, and in some instances, the media. The HIPAA Breach Notification law, 45 CFR 164.400-414, imposes the notification requirement.
Here is the “test” to determine whether a breach is reportable:
An acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule is presumed to be a breach (and thus reportable) unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
So, what if an entity has determined that it needs to report a breach? What must it do?
Breach Notification Process
When a breach of unsecured PHI is identified, Covered Entities must notify affected individuals within sixty days. The notification must include a description of the breach, the nature of the information that was acquired, accessed, used, or disclosed, and advice about what steps individuals should take to protect themselves from potential loss or harm.
The Department of Health and Human Services (HSS) also has to be notified within sixty days, in cases of breaches involving more than 500 individuals. If a breach involves fewer than 500 individuals, HHS must be notified of that breach within sixty days of the end of the calendar year during which the breach took place.
For breaches involving more than 500 individuals, covered entities are also required to notify prominent media outlets serving the location.
Business associates are also required to comply with the Breach Notification Rule. When a breach of HIPAA is identified by a Business Associate, they are required to notify the covered entity for whom they are providing a service within sixty days. The notification to the Covered Entity must include the information necessary for the covered entity to comply with the Breach Notification Rule.
How Does Compliancy Group Help?
Compliancy Group users receive policies and procedures on the topics of breach determination and notification. Users also receive complete a series of guided self-audit questions to assess their state of compliance with respect to the HIPAA Breach Notification Rule.
If a client believes a breach of unsecured PHI may have occurred, Compliancy Group sends the client two specific job aids, which are guidance documents that assist users in determining whether an incident that occurs or has occurred is a breach. The two documents are (1) a job aid providing guidance on whether unsecured PHI is involved in an incident (the job aid is the “Unsecured PHI Job Aid”), and (2) a job aid going over whether the breach is one that must be reported (Breach Determination Assessment form). The client is advised in an “initial breach” email to complete the forms, and upon completion, to schedule a “breach meeting” with Compliancy Group.
During the breach meeting, Compliancy Group’s subject matter experts (Incident Response Team) assist users with any questions about the terminology referenced in these guidance documents. Compliancy Group subject matter experts will go over what factors to consider in determining whether an incident is a reportable breach. The client is ultimately responsible for determining whether an incident is a reportable breach. Clients may schedule follow-up meetings as necessary. During the meeting, we remind users that they can and should track a particular incident in The Guard (through the Incident Management feature).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article