March 10, 2020
Whether you have recently experienced a breach or are just preparing for the worst, it’s important to know what you need to assess in the event that your practice is faced with a HIPAA incident. Any time your Protected Health Information (PHI) is exposed, whether maliciously or accidentally, your practice may be facing serious fines for a HIPAA violation. The first step is knowing what exactly is considered a breach of PHI.
As defined by the U.S. Department of Health and Human Services, a HIPAA breach is the “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This definition is broad and leaves practices to determine if a breach has occurred. If you believe you may have been breached, the next step is to assess your specific level of risk using the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification (i.e. what kind of information was exposed)
- Certain identifiers such as social security numbers or sensitive diagnoses increase the probability of compromise
- The unauthorized person who used the protected health information or to whom the disclosure was made (i.e. an employee or outside party)
- If the recipient is another entity regulated by HIPAA laws there might be a lower probability that the PHI is at risk
- Whether the protected health information was actually acquired or viewed
- If the opportunity existed for the PHI to be acquired but it was not actually viewed, there might be a lower risk
- The extent to which the risk to the protected health information has been mitigated
- Mitigating the risk in a timely manner is always in your practice’s best interest
In any instance where unsecured PHI is involved, properly assessing the level of risk associated with your practice’s potential data breach is an essential first step. Your next steps are reporting the breach and notifying the right individuals as specified by HIPAA. In addition, the number of affected persons, your state’s individual reporting requirements, the types of PHI, and the likelihood the PHI exposed will be used for malicious intent will influence the best way to address the breach.
All practices, before a breach ever occurs, should have a Breach Notification Policy in place that will outline the proper reporting steps that must be followed. Like all HIPAA policies, the policy should also include any state-specific breach notification laws that might supersede Federal requirements.
It’s important to note that analyzing your HIPAA program shouldn’t only be done after a breach has already occurred. Practices should assess their level of HIPAA compliance regularly and complete the mandatory annual Security Risk Analysis in order to determine areas that could be breached in the future. This not only sheds light on often overlooked risks, such as outdated computer programs or missing policies for regulating access but in the circumstance that your practice does experience a breach you are better equipped to identify and mitigate the issue.
In fact, if you experience a breach and have not completed the required Security Risk Analysis beforehand, the likelihood that your practice will be hit with a HIPAA fine goes up dramatically – almost all HIPAA fines levied by the OCR are in part the result of a missing risk analysis.
Updating and maintaining your practice-specific Security Risk Analysis and policies on a regular basis may seem daunting, but software solutions (like Abyde!) help streamline and automate this process to simplify your compliance program.