The Three Exceptions to A Breach
Soon after implementation of the HIPAA privacy rule, some staff members would conclude that a violation had occurred because a doctor and a nurse were overheard speaking about a patient’s PHI, or a technician called out a patient by their actual name in the waiting room, or a white board at a nursing station contained PHI of patients on the Intensive Care Unit. Staff had yet to learn about the “Incidental Disclosure” rule that allows for incidental uses and disclosures that occur as a by-product of a use or disclosure permitted by the privacy rule, as long as reasonable safeguards are in place.
The same can be said today about breaches. There are still some staff members and some privacy officers that conclude that a breach has occurred when in fact the incident itself falls under an exception to the breach rule. With the implementation of the Omnibus rule on January 25, 2013, significant modifications to the breach notification rule were made to include three distinct exceptions to a breach. The definition of a breach remains the same and reads as follows: “a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the privacy rule which compromises the security or privacy of the protected health information”. However, if the incident falls under one of these three exceptions, no breach has occurred. Let’s take a closer look at each of these exceptions as described by the breach notification rule.
The first exception to a breach involves any unintentional acquisition, access, or use of PHI by a workforce member or other person acting under the authority of the CE or BA, if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the privacy rule. For this exception to apply, the access must be unintentional and in good faith which can occur when a workforce member accessess the wrong patient’s chart. This exception would not apply if a technician is purposely “snooping” through electronic health records as this is not unintentional and certainly not in good faith. Additionally, the unintentional access would have to occur while the technician is conducting her duties for which she is authorized to do. Finally, after the unintentional access, the PHI cannot be further disclosed in a manner not allowed by the privacy rule. For instance, if the information is further disclosed for a treatment activity, this exception would apply. However, if the information garnered through the unintentional access is shared for “gossip” purposes, this first exception to a breach would not apply. In summary, the unintentional acquisition, access, or use must have been done in good faith, as part of the workforce member’s official duties, and not further disclosed in a manner not allowed by the privacy rule.
The second exception to a breach involves any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized healthcare arrangement in which the CE participates, and information received as a result of such a disclosure is not further used or disclosed in a manner not permitted by the privacy rule. For this exception to apply, the disclosure must be inadvertent. For example, a nurse on the B Ward inadvertently e-mails Dr. Serrano the wrong lab results. Dr. Serrano views the results noting that they belong to another patient and notifies the nurse who then sends him the correct lab results. Dr. Serrano deletes the e-mail and does not further disclose the lab results to anyone else in a manner not allowed by the privacy rule. Both the nurse and the doctor are authorized to access PHI, they both work at the same CE, and Dr. Serrano did not further disclose the PHI in a manner not allowed by the rule, thus this exception applies.
The third and final exception involves a disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information. The preamble to the HIPAA rule uses the example of a CE, due to lack of reasonable safeguards, sends a number explanations of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable, therefore the CE can conclude that the improper addressees could not reasonably have retained the information. However, the EOBs that were not returned as undeliverable, and that the CE knows were sent to the wrong individuals, should be treated as potential breaches. The key for this exception to apply is whether the unauthorized person is able to retain the information. For example, sometimes pharmacies handout a wrong prescription bag to a patient. If the patient walks to the exit, discovers it is the wrong medication, and quickly returns it to the pharmacy, the pharmacy can make an on the spot assessment as to whether the patient (unauthorized person) was able to retain any of the demographic information belonging to the wrong prescription, i.e., name, DOB, etc. If the patient has not retained any of the information, this exception to a breach will apply.
In conclusion, the framers of the HIPAA privacy rule were aware of instances where unintentional or inadvertent uses or disclosures within a CE or BA, or disclosures to unauthorized individuals that could not reasonably retain the PHI, would pose little to no threat of compromise to a patient’s PHI. As a result, these three exceptions were created. When your next potential breach surfaces at your organization, don’t jump to conclusions. First gather all the facts and then determine if an exception applies. If so, document the incident and the exception you applied, and retain in your appropriate log or files. If none of the exceptions apply, proceed with the four-factor breach assessment to determine if there is a low risk of compromise to the PHI. The steps for the assessment are provided here: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html