Determining Whether a HIPAA Data Breach Occurred

By: Elizabeth Snell, HealthITSecurity

Covered entities need to be able to determine if a HIPAA data breach has taken place following the potential exposure of sensitive data. The implementation of the HIPAA Omnibus Rule slightly changed this process, in that there were new determining factors for assessing exactly what constitutes a data breach.

Responding to a HIPAA data breach did not change, but covered entities were given four factors to review and then conclude if a health data breach had in fact taken place. Essentially, healthcare facilities must prove that there is a low probability that PHI was compromised after a risk assessment of the following factors:

  • Determine the nature and extent of PHI involved. This includes finding the types of identifiers and the likelihood of re-identification;
  • Determine who the unauthorized individual was who used the PHI. Moreover, facilities need to determine who received or viewed the data – if they were authorized or not;
  • Determine if the PHI was actually acquired or viewed;
  • Determine the extent to which the risk to the PHI has been mitigated.

“Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised,” accordingto the Department of Health & Human Services’ (HHS) website.

Essentially, covered entities must first investigate to see what type of information was exposed. For example, was it just financial information? Were patients’ medical histories, Social Security numbers, or dates of birth compromised?

From there, organizations need to find out who inappropriately disclosed the PHI. Was it an employee or an outside party? Is the business associate at fault? This is also important after the implementation of the Omnibus Rule as more responsibility was given to business associates.

The third factor revolves around covered entities determining if the exposed PHI was actually viewed or used inappropriately. For example, if an email containing a database filled with patients’ PHI was sent to an outside party, did that individual actually open the email? Did he or she forward the information to anyone else?

Finally, healthcare organizations must show if corrective action has already been taken. Essentially, did the covered entity already make the necessary security changes to ensure that the PHI exposure is lessened as much as possible? For example, if an unencrypted laptop was accessed, did the entity add passwords and or encryption options?

Exceptions to the HIPAA data breach

It is also important to note that there are three exceptions to the data breach definition, according to HHS. First, if the acquisition of PHI is unintentional and done by an employee or individual “acting under the authority of a covered entity or business associate,” then a data breach may not have taken place. This also holds true for how the PHI is accessed or used. Essentially, if the PHI is accessed, acquired or used “in good faith” there may not be an issue.

The second exception is when an authorized person inadvertently discloses PHI at a covered entity or business associate to another person who is authorized to access such data at the facility. For example, if one doctor at a hospital discloses PHI to another doctor at the same hospital, an exception to the HIPAA data breach could be made. However, the data in question must not be further used in any way that violates the HIPAA Privacy Rule.

Finally, an exception to the HIPAA data breach can occur “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.” Essentially, if a doctor who receives PHI, and his hospital does not think that there is a way for him to have saved or stored the information, an exception could potentially be found.

Overall, the key thing to remember in terms of HIPAA data breaches is if the incident involved unsecured PHI. The data needs to have been made “unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.” Covered entities need to follow the guidelines put forth in the HIPAA Security Rule to ensure that sensitive data has the necessary protections. That way, even if a data breach occurs, healthcare organizations can potentially avoid certain federal fines.

A HIPAA data breach is not always the outcome of a healthcare facility’s security measures being infiltrated. However, it is essential that covered entities are able to determine if this type of breach occurred and know how to take next step.