What is a breach?

A breach is an impermissible disclosure or use of protected health information (PHI). Typically, a breach compromises the security and privacy of PHI.

How do you determine if a breach has occurred?

The burden of determining if a breach has occurred falls on the Covered Entity or Business Associate. The Covered Entity or Business Associate will need to conduct a risk assessment to evaluate if the unsecured PHI is likely to harm the patient in any way. Things to inquire about include the information that was viewed or accessed, the unauthorized person who viewed or accessed the information, and the extent that the risk can be mitigated.

Health and Human Services (HHS) defines unsecured PHI as “information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.”

In the event of a potential breach, it is important to consider if the incident might be an exclusion from breaches. One type of incident that is not considered a breach is the unintentional access of PHI by someone who has the authority to access PHI. For example, a nurse might accidentally view the wrong patient in the electronic health record while searching for one of his patients. As long as he does not misuse or share that information, it can be deemed an incidental disclosure that does not require breach notification. Inadvertent disclosures of PHI from one covered entity to another, provided no further disclosure is made, is another situation that is usually not considered a breach. Lastly, if the Covered Entity or Business Associate believes the unauthorized person who received the PHI could not retain the information, then it would typically not constitute a breach.

What do you do after a breach has occurred?

If a breach is discovered, the Covered Entity must notify the patient(s) whose information was disclosed. If the breach occurred under a Business Associate, the Business Associate will need to notify the Covered Entity and the two organizations can determine who will notify the patient. If there is not sufficient contact information to notify the patient, a print notice in the newspaper or broadcast media is required, or a posting on the Covered Entity’s website must be posted for at least 90 days.

If the breach involved more than 500 patients, the Covered Entity must notify major media outlets in addition to notifying all patients involved.

Additionally, the Covered Entity will need to notify HHS of the breach. Notification can be provided annually if fewer than 500 patients are affected, or within 60 days of discovery if more than 500 patients are affected.

Protect your organization from breach consequences by keeping your employees trained on the Breach Notification Rule and maintaining the proper policies. Use HIPAAgps’ simple system to help keep you and your employees informed and ready for a potential breach.