2016 HIPAA Audits Part 2: Into the Breach
by Donna Koger, 11.2.15
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires HIPAA Covered Entities (CEs) and their Business Associates (BAs) to provide notification following a breach of unsecured Protected Health Information (PHI). Similar breach notification provisions apply to vendors of personal health records and their third party service providers.
What is a HIPAA breach?
A breach is an unauthorized use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. The Department of Health & Human Services (HHS) lists three exceptions to the definition of “breach:”
1. The first exception is the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
2. The second exception is the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
3. The third exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
How do you know if there has been a breach?
According to HHS, an unauthorized use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is low probability the protected health information was compromised based on a risk assessment of the following:
1. The nature and extent of the PHI involved, including the types of PHI identifiers
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated
What should you do if there is a breach?
According to HHS, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers, pursuant to the HITECH Act.
HHS lists Breach Notification Requirements as: Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the HHS Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
1. Individual Notice
2. Media Notice
3. Notice to the HHS Secretary
4. Notification by a Business Associate
For details on Notification of a Breach, consult the HHS website section on Health Information Privacy.
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.