You don’t need to be a healthcare professional to know that data breaches have plagued the industry for years. A breach is an impermissible use or disclosure that compromises the privacy or security of protected health information (PHI). According to the HIPAA Breach Notification Rule, you have to notify all individuals whose PHI is compromised in a breach. However, not all breaches are created equal. Depending on the risk level, you may not have to notify affected parties. So, how do you find out the extent of a breach and your notification responsibilities?
First, before you start reporting every possible breach that comes to your attention, keep in mind that there are three exceptions to the definition of a breach. In these cases, an impermissible use or disclosure isn’t considered a breach at all.
READ MORE: The Three Exceptions to a HIPAA Breach
But what if these exceptions don’t apply? You must then move on to the four-factor HIPAA breach risk assessment to discover the extent of the data breach and the risk to patients’ PHI. From there, you’ll be able to determine your notification responsibilities.
Four-Factor HIPAA Breach Risk Assessment
The goal of a breach risk assessment is to determine the probability that PHI has been compromised. If the breach is low-risk, you don’t have to notify affected parties, but if there’s a greater than low risk, you do. However, keep in mind that you can choose to skip the breach risk assessment altogether and notify all parties right away.
When you conduct a breach risk assessment, you’ll rank the following four factors as low, medium, or high risk and view them as a whole to find the overall risk level.
1. What type of PHI was involved, and to what extent?
First, assess how identifying the PHI was and if this information makes it possible to reidentify the patient or patients involved. Were there credit card numbers, social security numbers, or similar information that increase the risk of identity theft? Additionally, don’t just focus on the sensitivity of clinical data, such as a patient’s HIV status or mental health status. Also look at the amount of clinical data disclosed, such as a patient’s name, date of birth, address, diagnosis, medication, and treatment plan, which are high-risk identifiers.
Even if minimal information was involved, you still need to consider the likelihood that the context and other circumstantial information could be used to reidentify the patient or patients. Furthermore, reidentifying a person based on circumstantial and disclosed information would be easier in a small town than in a big city, so keep your community size in mind.
2. Who was the unauthorized person or organization?
Next, consider the unauthorized person or organization that received the PHI. Could the recipient reidentify the information? Is that person obligated to protect the privacy and security of PHI? For example, if you disclosed it to another HIPAA-covered organization or a federal agency that must abide by the Privacy Act, there’ll be a lower probability that the PHI was compromised. However, if information was sent to a local gas station, grocery store, or other private business – for example, by a misdirected fax – the risk is greater because these businesses aren’t obligated to protect PHI.
3. Did the person or organization acquire or view the PHI?
Was the PHI actually acquired or viewed, or did the opportunity merely exist? For example, an unauthorized person may steal a laptop containing PHI. However, after a forensic analysis, the organization that owns the laptop might find that the PHI wasn’t compromised in any way. Therefore, the PHI wasn’t acquired or viewed, despite the opportunity.
On the other hand, the organization might mail PHI to the wrong person, who opens the envelope and then calls to say it was sent in error. In this case, the unauthorized person acquired and viewed the PHI to the extent that she knew it was mailed to the wrong person.
4. To what extent have you mitigated the risk?
Don’t reach your conclusion about a breach’s risk level until you’ve already mitigated its effects to the best of your ability. One method is to obtain the unauthorized person’s assurance (through a confidentiality statement or attestation) that the PHI won’t be further used or disclosed or that they’ll destroy the data. However, there’s a difference between assurance from an orthopedic practice and from a restaurant.
Other mitigation steps could include a recipient mailing documents back to your organization, shredding the documents, or deleting an email. Each situation is different and requires different mitigation efforts. However, what you do in the wake of a breach will determine if the overall risk of compromise is low, medium, or high.
Completing the Breach Risk Assessment
After examining all parts of the four-factor breach risk assessment, you must draw a conclusion in good faith about the overall level of risk. Based on the nature of the PHI, the unauthorized person receiving it, the acquisition or use of the PHI, and the mitigation steps taken, is it likely or unlikely that the PHI was compromised? Again, if the risk is greater than low, you must notify all individuals whose data was compromised.
But who else needs to be notified? How? And in what timeframe? In an upcoming post, you’ll learn about the next steps after completing your risk assessment: the who, when, and how of breach notification.
HIPAAtrek can help you create a culture of security compliance. In the HIPAAtrek platform, you can record all security incidents and use the integrated Breach Risk Assessment Tool to determine if the incident was a breach. This feature leaves an auditable trail of compliance. Request a demo or contact us for more information.