Beginning August 2016, the government agency in charge of investigating HIPAA violations will expand its investigations to include smaller breaches. Smaller breaches — those affecting fewer than 500 individuals — were once only investigated “as resources permitted.” This is no longer the case, according to an announcement from the Office of Civil Rights (OCR).
What is considered a breach?
The OCR defines a breach as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI). An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and
- the extent to which the risk to the PHI has been mitigated.
Covered entities and business associates have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the PHI has been compromised.
There are three exceptions to the definition of “breach.”
- The first exception applies to the unintentional acquisition, access, or use of PHI by a staff member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
- The second exception applies to the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
- The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Do all breaches have to be reported to the federal government?
Yes. If a covered entity or business associate determines that a breach has occurred, it must be reported to the Secretary of Health and Human Services. For breaches involving more than 500 individuals it must be reported, as soon as possible, but no later than 60 days following the determination that a breach has occurred. For breaches involving less than 500 individuals you may report at the time of the breach discovery or within 60 days of the end of the calendar year in which it occurred.
It is important to note that if you experience a privacy or security incident, you should not call it a breach until you have made that determination using the assessment described above. When you call it a breach, it is reportable.
What does this mean to my practice?
You must have a plan to respond to privacy and security incidents. You should make a report to your cyber liability insurance carrier as soon as possible because the incident may be covered under your policy. If covered, your carrier will assist in the investigation and breach notification if required.
With the OCR’s new initiative, smaller breaches could result in an investigation, which generally takes 2-3 years to reach a conclusion with the OCR. The costs associated with an investigation by the OCR will result in significantly higher costs. Now is a good time to check your cyber liability insurance coverage and associated policy limits.
The best defense is always a good offense. Is your HIPAA compliance up to date? Need help in complying with HIPAA? Contact TMLT’s Product Development Services Department or visit our website.
About the Author
Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Representative. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at firstname.lastname@example.org.More Content by Cathy Bryant