Is a HIPAA Violation a Reportable Breach?

by ih-coc admin

by Jay Hodes, President - Colington Consulting

Just because a member of an organization’s workforce violates HIPAA policies and procedures, it is not necessarily a breach reporting requirement. The significant determination is the extent to which any protected health information (PHI) may have been compromised based on breach rule guidance. So, before getting too technical regarding that determination, here are some cases to consider:

  1.      An employee for a healthcare software company loses a computer containing the PHI of 2000 patients. Reportable breach?
  2.      A hospital system is the victim of a ransomware attack. Reportable breach?

A breach is generally an impermissible use or disclosure under the Privacy Rule that compromises the

security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Going through this type of breach “risk assessment” can be challenging, especially in trying to determine if any PHI was acquired or viewed. To further complicate this process, the guidance does not specify what exactly a “low probability” is. So, this assessment process will take some work.

Begin by using a decision tree and asking questions such as “Was the PHI disclosure to a person who reasonably would have not been able to retain that information?” and “Was the PHI secured by encryption?” The resulting series of yes or no responses will help to determine whether a breach notification is required.

In most of these cases, the organization’s HIPAA Privacy and Security Officials should take the lead with this process. There may be a need to involve the organization’s healthcare and privacy attorney for advice. Experience and expertise with the process are clearly essential to helping determine probability.

It is important to document the results, especially in those cases in which a determination was made that it was not a reportable breach. If, for some reason, any of the PHI was in fact compromised and a breach report was not made, demonstrating due diligence in the event an HHS Office for Civil Rights (OCR) investigation is necessary.

Referencing the numbered case examples above:

  1. This would be a reportable breach if the PHI was not encrypted. However, if the PHI was encrypted, it could be an organizational HIPAA violation based on policies and procedures for mobile devices.
  2. This example is going to be a fact-specific determination. In 2016, OCR issued guidelines on the topic of ransomware attacks. If the PHI was encrypted, it may not be reportable. But any unsecured PHI will be a reportable breach. (See the full fact sheet.) In this case, the possibility exists that there may also be a HIPAA violation based on the cause of the attack and whether proper safeguards were followed by a workforce member or members.

My advice is to make sure your organization’s HIPAA Sanction policies and procedures are clear for any violations, even for those cases that are not reportable. Ensure the organization has a comprehensive breach notification policy and accompanying procedures. Be familiar with the breach risk assessment process and be prepared should an impermissible use or disclosure occur.