What is a HIPAA breach?
A HIPAA breach is defined, by the 2013 HIPAA rules as “acquisition, access, use or disclosure of protected health information…which compromises the security or privacy of the protected health information.”
A breach is assumed in this case unless a risk assessment is conducted that reveals a “low probability” that a patient’s Protected Health Information (PHI) has been compromised.
4 Factors to Consider in Analyzing a breach and Deciding to Notify Patients
- Who the unauthorized person was who used of received the PHI.
Did a doctor pick up the wrong file? Or was it another patient?
- Whether the PHI was actually acquired or viewed
If a stack of clinical files falls in the woods and no one is there to read them, do they make a noise?
- The nature of the PHI (what identifiers and likelihood of re-identification)
Social Security numbers = bad. Birthdays…not so bad?
- The extent to which the risk has been mitigated.
In an example given by HIPAA expert Nancy Wheeler J.D., a counselor’s office burglarized, and a filing cabinet broken into, would necessitate a report, while losing a password protected cell phone at a Starbucks for 30 minutes wouldn’t.