What is a HIPAA breach?

A HIPAA breach is defined, by the 2013 HIPAA rules as “acquisition, access, use or disclosure of protected health information…which compromises the security or privacy of the protected health information.”

A breach is assumed in this case unless a risk assessment is conducted that reveals a “low probability” that a patient’s Protected Health Information (PHI) has been compromised.

4 Factors to Consider in Analyzing a breach and Deciding to Notify Patients

  1. Who the unauthorized person was who used of received the PHI.
  2. Did a doctor pick up the wrong file? Or was it another patient?

  3. Whether the PHI was actually acquired or viewed
  4. If a stack of clinical files falls in the woods and no one is there to read them, do they make a noise?

  5. The nature of the PHI (what identifiers and likelihood of re-identification)
  6. Social Security numbers = bad. Birthdays…not so bad?

  7. The extent to which the risk has been mitigated.

In an example given by HIPAA expert Nancy Wheeler J.D., a counselor’s office burglarized, and a filing cabinet broken into, would necessitate a report, while losing a password protected cell phone at a Starbucks for 30 minutes wouldn’t.

Anthony Centore

Anthony Centore

Anthony Centore Ph.D. is Founder and CEO at Thriveworks--a counseling practice, focused on premium client care, with 80+ locations across the USA. He is Private Practice Consultant for the American Counseling Association, columnist for Counseling Today magazine, and Author of How to Thrive in Counseling Private Practice. Anthony is a multistate Licensed Professional Counselor and has been quoted in national media sources including The Boston Globe, Chicago Tribune, and CBS Sunday Morning.

Check out “Leaving Depression Behind: An Interactive, Choose Your Path Book” written by AJ Centore and Taylor Bennett."

Interested in writing for us?


Read our guidelines
Share This