What is a HIPAA breach?

A HIPAA breach is defined, by the 2013 HIPAA rules as “acquisition, access, use or disclosure of protected health information…which compromises the security or privacy of the protected health information.”

A breach is assumed in this case unless a risk assessment is conducted that reveals a “low probability” that a patient’s Protected Health Information (PHI) has been compromised.

4 Factors to Consider in Analyzing a breach and Deciding to Notify Patients

    1. Who the unauthorized person was who used of received the PHI.

Did a doctor pick up the wrong file? Or was it another patient?

    1. Whether the PHI was actually acquired or viewed

If a stack of clinical files falls in the woods and no one is there to read them, do they make a noise?

    1. The nature of the PHI (what identifiers and likelihood of re-identification)

Social Security numbers = bad. Birthdays…not so bad?

  1. The extent to which the risk has been mitigated.

In an example given by HIPAA expert Nancy Wheeler J.D., a counselor’s office burglarized, and a filing cabinet broken into, would necessitate a report, while losing a password protected cell phone at a Starbucks for 30 minutes wouldn’t.

Tagged With:

Explore the latest mental wellness tips and discussions, delivered straight to your inbox.

Dr. Anthony Centore

Anthony Centore, PhD

Anthony Centore, PhD, is Founder and Chair at Thriveworks — a counseling practice focused on premium client care, with 340+ locations across the US. Anthony is a Private Practice Consultant for the American Counseling Association, columnist for Counseling Today magazine, and author of "How to Thrive in Counseling Private Practice". He is a multistate Licensed Professional Counselor (LPC) and has been quoted in national media sources including The Boston Globe, the Chicago Tribune, and CBS Sunday Morning.

Check out “Leaving Depression Behind: An Interactive, Choose Your Path Book” written by AJ Centore and Taylor Bennett."