It is time to get your Breach Notification Logs out and prepare to notify Health and Human Services of all the breaches your organizations had in 2017 that affected fewer than 500 individuals. If you had a breach last year that affected more than 500 individuals those should already have been reported, so we are not going to rehash such an event. First, let’s quickly review the definition of a breach and what our responsibilities, as covered entities, are according to the HIPAA Breach Notification Rule.
The term “breach” means the unauthorized acquisition, access, use, or disclosure of PHI or ePHI (electronic PHI).
Any acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy and Security Standards is presumed to be a breach unless the Covered Entity (your organization) can show a “low probability that the PHI has been compromised based” on the following factors:
- the nature and extent of the PHI including the types of identifiers and likelihood of re-identification;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed;
- and the extent to which the risk has been mitigated.
Breach Detection and Analysis
Your organization must develop, implement, and maintain processes for detecting, managing, and responding to suspected or confirmed breaches of PHI (and ePHI). As soon as a breach is suspected or has been identified, the dental team member who discovers the breach must take immediate steps to report the breach to your organization’s Privacy Officer. Upon receipt of such a report, the Privacy Officer shall gather information, investigate and determine whether a breach has occurred. The following questions should be addressed during this analysis:
- Has there been an impermissible use or disclosure of an individual’s protected health information under the Privacy Standards or Security Standards?
- Does the impermissible use or disclosure pose a risk that the individual’s PHI has been compromised?
- Do any of the exceptions to the definition of “breach” apply?
- Is the protected health information at issue considered “unsecured protected health information”?
Breach Risk Assessment
When conducting an assessment of the probability that PHI has been compromised, your organization should consider at least the following factors:
1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
To assess this factor, your organization should consider the type of PHI involved in the impermissible use or disclosure, such as whether the disclosure involved information that is of a more sensitive nature. With respect to financial information, this may include credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud. With respect to clinical information, this may involve considering not only the nature of the services or other information, but also the amount of detailed clinical information involved (e.g., treatment plan, diagnosis, medication, medical history information, test results, etc.).
In situations where there are few, if any, direct identifiers in the information impermissibly used or disclosed, your organization should determine whether there is a likelihood that the PHI released could be re-identified based on the context and the ability to link the information with other available information.
2. The unauthorized person who used the PHI or to whom the disclosure was made;
Your organization should consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information. For example, if the PHI is impermissibly disclosed to another entity required to abide by the HIPAA Privacy and Security Rules or to a Federal agency obligated to comply with the Privacy Act of 1974 and the Federal Information Security Management Act of 2002, there may be a lower probability that the PHI has been compromised because the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as Covered Entity.
This factor should also be considered in combination with the first factor discussed above regarding the risk of re-identification. If information used or disclosed is not immediately identifiable, Covered Entity should determine whether the unauthorized person who received the PHI has the ability to re-identify the information.
3. Whether the PHI was actually acquired or viewed; and
Your organization should investigate an impermissible use or disclosure to determine whether the PHI was actually acquired or viewed, or alternatively, if only the opportunity existed for the information to be acquired or viewed. For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, Covered Entity could determine that the information was not actually acquired by an individual even though the opportunity existed. In contrast, however, if (Insert Name of Practice) sent the information to the wrong individual who called (Insert Name of Practice) and told (Insert Name of Practice) that the individual had viewed the information in error, then, in this case, the unauthorized recipient viewed and acquired the information because she actually opened and read the information.
4. The extent to which the risk to the PHI has been mitigated.
Your organization should attempt to mitigate the risks to PHI following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised.
Action Following ANY Breach
As outlined above every breach must be evaluated and documented. The burden is on the covered entity (your organization) to demonstrate due diligence with every breach. Additionally, every breach (reportable or not) should be documented by way of a Breach Risk Assessment or Incident Report. Every “reportable” breach should involve an entry in your Breach Notification Log.
Reporting to Affected Individuals
The Breach Notification Rules requires covered entities to inform affected individuals of breaches where there is greater than a “low probability of harm” to that individual. Notice the term individual is used. The relationship of the individual to your practice is irrelevant. This could be a patient, former patient, caregiver, responsible party or perhaps another person who paid a bill for a patient or former patient of your practice. In any event, if a person (individual)’s PHI is breached your organization, as a covered entity, has a responsibility to notify the affected person.
At the end of this article is a copy of the reporting form for HHS. The form outlines essentially the same information you are required to notify affected individuals including, what happened, how it happened, what information was breached, the date it occurred (if known) and the date it was detected, what was done to mitigate any potential damage and what the affected individual can do to protect themselves (i.e. credit report monitoring, obtaining new credit card, etc.).
Notifying affected individuals is NOT optional. In fact, under Texas state law failure to respond appropriately can leave a covered entity liable for criminal penalties (a felony).
Reporting to HHS
Breaches that affect fewer than 500 individuals, a covered entity must be reported to the federal Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by the 60th day of the following year (March 1st). This notice must be submitted electronically by following the link below and completing all information required on the breach notification form. On the HHS website a separate form must be completed for every breach that has occurred during the preceding calendar year.
The following information was taken from the above-listed website to give readers an idea what to expect from this self-reporting website. Remember that notifying HHS annually of reportable breaches of unsecure PHI is required. Failure to notify can result is steep sanctions with fines topping out at $1.5 million per year (includes small organizations). Let’s look at an example!
Part of having a remarkable 2018 involves NOT having reportable breaches of unsecure PHI. Should one occur or you are not sure whether an incident qualifies as a reportable breach you can reach us at (817) 755-0035 or firstname.lastname@example.org.
Reporting form from https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore! Give us a call 817-755-0035.