Assuming Harm: The New 2013 Breach Rule Standard

A major shift under the 2013 Final Rule involves how a CE or BA determines how serious a breach is and what notifications are required based on that determination.  Of course, it helps to have some idea of what a HIPAA Breach is before you can think about the assessment of it.

In the most basic terms, think of a breach as any time the security or privacy of PHI might have been compromised.  If there is a chance that PHI has been acquired, accessed or disclosed to someone who shouldn’t see it, then someone should must look into the situation.  All the information about what happened must be documented thoroughly including all the decisions that are made concerning the incident.  You will need the documentation to show why you made the decisions you made if anyone ever asks.

Once your information has been gathered, you now have to do an assessment of the risk of harm this breach may have on the patients involved.  Previously, this evaluation was supposed to determine if  there has been harm.  Under the new rule, you must assume that there has been harm from the beginning.  There are four factors a CE or BA must use to determine what they should do next with their breach documentation.  To make a decision  the following information must be considered (and, of course, documented).

  1. The nature and extent of the protected health information involved, including the types of information included and the likelihood of identifying an individual patient
  2. The unauthorized person who used the PHI or to whom the disclosure was made may have been unknown, or it could simply be an employee looking at the wrong patient records
  3. Whether the protected health information was actually acquired or viewed by an unauthorized person
  4. The extent to which the risk to the protected health information has been mitigated; for example, was the breached information received via an encrypted hard drive?

Once you have answered those questions you will likely know if there can really be considered no harm done.  Keep in mind, even if an encrypted hard drive is stolen, breach notifications are required.  The notification gets to say that the information is very unlikely to be compromised because it was properly encrypted.  *****UPDATE**** To clarify this comment.  A security breach has occurred in the encrypted drive case not a privacy breach.  Notifications aren’t likely required to each individual but notifications are required somewhere in the process.  Plus, your state may not have a safe harbor exemptions for encrypted data.  A detailed investigation should be performed even if there is a loss of encrypted data. The method of encryption and location of encryption keys must be determined.  Then, you determine what notifications are required. *****UPDATE*****

Breach and incident documentation is required to show your decisions process, information you knew at the time and more.  Many offices haven’t even drawn up a Breach Notification policy that includes exactly who to notify if someone in your office believes there may have been a breach and what that person does with the information once they get it.  This one is brand new and required for both BAs and CEs.

Another important reason we partnered with ComplyAssistant was the framework for a Breach Notification policy is built right into the system.   It is currently being updated to include the new decision process and help guide you through the questions you should ask under the new assessment requirement.  That tool certainly made our Breach policy easier to figure out and write up.

Filed under: HIPAA