HIPAA Breach Evaluation and Reporting What is a Reportable HIPAA Breach, to Whom, and How

Breaches of Protected Health Information are becoming more and more common and can be a result of a variety of circumstances, from words spoken too loudly in a public setting, to a lost thumb drive full of medical records, to files being held for ransom by hackers.

Any violation of the HIPAA Privacy Rule may be a reportable breach under the HIPAA Breach Notification rules, requiring notification of individuals and HHS when information security is breached.  Any incident involving a HIPAA issue must be evaluated to see if it is reportable, and any decisions or actions must be fully documented.

There are several steps that must be taken to determine if an incident is a breach, and whether or not that breach is reportable.  Determining whether to report or not is necessarily straightforward, but there are guidelines to follow to help at every step of the way.  Even Ransomware attacks by hackers may be reportable if you lose control of your data and don’t know exactly what happened.

If the evaluation of the necessity to report is not done correctly, you may not make the right decisions about reporting and be subject to penalties for non-compliance upon an investigation of a breach by HHS.  Breach investigations, even for small breaches, are a new priority at HHS, and the HHS regional offices are taking on the job of looking into small breaches (affecting under 500 individuals), especially when there have been multiple breaches or repeated similar breaches.

Penalties for non-compliance can up to millions of dollars in cases of willful negligence, so it is essential to evaluate incidents to see if they are reportable breaches and act properly on the evaluation.

• The definition of a Breach under HIPAA
• Evaluating the Privacy violation
• Reviewing the exceptions to the definition of a breach
• What is good enough encryption according to the rules
• Performing the Risk Analysis to determine the necessity to report
• Ransomware and Breaches – When to Report
• Avoiding Breaches
• The most common causes of breaches
• Reporting breaches to HHS and the individuals
• Reporting breaches to the press and other agencies
• Documenting your analysis and decisions

Whenever there may be a privacy issue involving Protected Health Information, there may be a reportable breach under the HIPAA regulations.  Not all privacy violations are reportable breaches, though, so it is essential to have a good process for evaluating incidents to see if they have resulted in a reportable breach.

Any privacy rule violation that results in an acquisition, access, use, or disclosure of PHI in violation of the HIPAA Privacy Rule may be a breach unless the incident is one of the defined exceptions from the definition.  A breach is reportable unless the information was secured or destroyed in the incident, or unless a risk analysis shows that there is a low probability of compromise of the information, based on at least four factors defined in the rules.

We will examine how to determine if a privacy violation is potentially a breach according to the definition, and then describe the subsequent steps in the evaluation, if it is determined that the definition has been met.  We will discuss the exceptions to the breach definition for inadvertent internal uses, or when it can be determined that the information could not be retained in any way by the receiving party.

In addition, any reporting must be made within the required time frames, or penalties can result, as shown in recent enforcement actions by HHS for late reporting of breaches.

We will explain, based on historical analysis of reported breaches, what measures must be taken today to protect information from the most common threats, as well as discuss information security trends and explain what kinds of efforts will need to be undertaken in the future to protect the security of PHI. 

Individuals responsible for risk management, compliance, privacy, and security of health information, individuals implementing electronic health care information systems, such as:

• CEO
• CIO
• HIPAA Privacy Officers
• HIPAA Security Officers
• Information Security Officers
• Risk Managers
• Compliance Officers
• Privacy Officers
• Records Release Manager
• HIM Manager
• Counsel
• Health Information Managers
• Information Technology Managers
• Information Systems Managers
• Medical Office Managers
• Chief Financial Officers
• Systems Managers
• Chief Information Officer
• Healthcare Counsel/lawyer
• Operations Directors
• Office Manager
• HR Director