Are you aware of a breach of PHI within your organization?

Are you prepared to file a report?

Are you aware of the different reports required by the OCR?

Do you know the best way to report a breach that places you in a better light to avoid fines and penalties?

Data Breaches
Under the HIPAA Rules a covered entity must report a breach of unsecured protected health information to the Office for Civil Rights, a division of the Department of Health and Human Services.

HIPAA Breach Report Toolkit

Our Breach Report Toolkit covers all the steps you need to take action – and minimize your risk.

It includes a worksheet of all the information you’ll need to initially collect, so that you can keep it all in one place as you work through the process of mitigation. 

What is a Breach of PHI

A breach is generally, an impermissible use or disclosure under the HIPAA privacy regulations that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach.  This is true unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

Exceptions to the Definition of a Breach

There are three exceptions to the definition of breach:

  1. An unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate if such acquisition, access or use was made in good faith and within the scope of authority. The information cannot be further used or disclosed in a manner not permitted by the privacy rule.
  2. The inadvertent disclosure of PHI from a person authorized to access PHI at covered entity or business associate to another person authorized to access PHI at covered entity or business associate of covered entity, or organized health care arrangement in which the covered entity participates. The information cannot be further used or disclosed in a manner not permitted by the privacy rule.

If the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Breach Analysis

Breach Risk Assessment

The covered entity must perform a Breach Risk Assessment and determine if a breach occurred which requires notification to the individual and OCR.

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

How do I handle a breach?

It is important to follow all the steps to report a breach to the OCR. Every breach is different and must be handled on a case by case basis.

A full breach analysis must be performed to determine if there was an impermissible use or disclosure that compromises the security of protected health information.

Factors to be resolved are:
1. The nature and extent of the breach including identifiers
2. The unauthorized person to whom disclosure is made
3. Whether the PHI was acquired or viewed
4. The extent to which the risk to PHI has been mitigated.

Notification Requirements

Individual Notice

Individuals affected must be notified by email or by substitute notice of discovery of the breach.

Timing

Individual notifications must be provided without unreasonable delay and in no case later than 60 days.

Media Notice

Must be given in event of a breach affecting more than 500 residents of a state or jurisdiction in addition to notifying the affected individuals.

Notice to the Secretary HHS/OCR

The breach notification by the covered entity will differ based on whether the breach affected 500 or more individuals or fewer than 500 individuals.

Follow this link to report breaches at the U.S. Department of Health and Human Services Office for Civil Rights.

If you have not experienced a breach?

That’s great!  But you should still prepare.  Most people don’t think about HIPAA compliance until it’s too late.  Moreover, the best way to deal with a HIPAA violation is to avoid it in the first place.

Be proactive. A first step is checking for weaknesses – and we can help.

Get our compliance checklist to see where your vulnerabilities lie.

HIPAA Compliance Checklist

As your organization prepares to take on the challenges of HIPAA compliance you must have a game plan. At HIPAA Associates we are happy to provide you with a HIPAA Compliance Checklist that will assist you in successfully developing your HIPAA compliance plan. This checklist is a step by step guide that takes you through all the important steps the Office of Civil Rights expects from covered entities and business associates today.