What is a HIPAA breach?

A HIPAA breach is defined, by the 2013 HIPAA rules as “acquisition, access, use or disclosure of protected health information…which compromises the security or privacy of the protected health information.”

A breach is assumed in this case unless a risk assessment is conducted that reveals a “low probability” that a patient’s Protected Health Information (PHI) has been compromised.

4 Factors to Consider in Analyzing a breach and Deciding to Notify Patients

    1. Who the unauthorized person was who used of received the PHI.

Did a doctor pick up the wrong file? Or was it another patient?

    1. Whether the PHI was actually acquired or viewed

If a stack of clinical files falls in the woods and no one is there to read them, do they make a noise?

    1. The nature of the PHI (what identifiers and likelihood of re-identification)

Social Security numbers = bad. Birthdays…not so bad?

  1. The extent to which the risk has been mitigated.

In an example given by HIPAA expert Nancy Wheeler J.D., a counselor’s office burglarized, and a filing cabinet broken into, would necessitate a report, while losing a password protected cell phone at a Starbucks for 30 minutes wouldn’t.