by Jay Hodes, President - Colington Consulting - HIPAA Compliance Experts
Just because a member of an
organization’s workforce violates HIPAA policies and procedures, it is not
necessarily a breach reporting requirement. The significant determination is
the extent to which any protected health information (PHI) may have been compromised
based on breach rule guidance. So, before getting too technical regarding that
determination, here are some cases to consider:
employee for a healthcare software company loses a computer containing the PHI
of 2000 patients. Reportable breach?
hospital system is the victim of a ransomware attack. Reportable breach?
A breach is generally an impermissible use or disclosure under the
Privacy Rule that compromises the
security or privacy of the PHI.
An impermissible use or disclosure of PHI is presumed to be a breach unless the
covered entity or business associate, as applicable, demonstrates that there is
a low probability that the PHI has been compromised based on a risk assessment
of at least the following factors:
The nature and extent of the PHI involved,
including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the PHI or to
whom the disclosure was made;
Whether the PHI was actually acquired or viewed;
The extent to which the risk to the PHI has been
Going through this type of breach “risk assessment” can be
challenging, especially in trying to determine if any PHI was acquired or
viewed. To further complicate this process, the guidance does not specify what exactly
a “low probability” is. So, this assessment process will take some work.
Begin by using a decision tree and asking questions such as
“Was the PHI disclosure to a person who reasonably would have not been able to
retain that information?” and “Was the PHI secured by encryption?” The
resulting series of yes or no responses will help to determine whether a breach
notification is required.
In most of these cases, the organization’s HIPAA Privacy and
Security Officials should take the lead with this process. There may be a need
to involve the organization’s healthcare and privacy attorney for advice. Experience
and expertise with the process are clearly essential to helping determine
It is important to document the results, especially in those
cases in which a determination was made that it was not a reportable breach. If,
for some reason, any of the PHI was in fact compromised and a breach report was
not made, demonstrating due diligence in the event an HHS Office for Civil
Rights (OCR) investigation is necessary.
Referencing the numbered case examples above:
This would be a reportable breach if the PHI was
not encrypted. However, if the PHI was encrypted, it could be an organizational
HIPAA violation based on policies and procedures for mobile devices.
This example is going to be a fact-specific
determination. In 2016, OCR issued guidelines on the topic of ransomware
attacks. If the PHI was encrypted, it may not be reportable. But any unsecured
PHI will be a reportable breach. (See the full factsheet.) In this case, the possibility exists that there may also be
a HIPAA violation based on the cause of the attack and whether proper
safeguards were followed by a workforce member or members.
My advice is to make sure your organization’s HIPAA Sanction
policies and procedures are clear for any violations, even for those cases that
are not reportable. Ensure the organization has a comprehensive breach
notification policy and accompanying procedures. Be familiar with the breach
risk assessment process and be prepared should an impermissible use or