|
Getting your Trinity Audio player ready...
|
Not every privacy incident requires disclosure. Here’s what to know before you act.
It’s the situation every practice dreads: your patients’ PHI may have been breached. No matter how strong your IT system is, breaches happen in practices of all sizes. You may feel inclined to panic and start notifying regulators and patients right away.
We typically suggest the opposite. Pause and speak with a healthcare attorney who understands HIPAA. You may not be required to notify anyone, depending on the facts. Even if you ultimately must disclose the breach, HIPAA gives you a reasonable window to determine your obligations first. Keep in mind that if a breach did occur, you must notify affected individuals within 60 days of discovery.
HIPAA is complex. Exceptions exist that may relieve you of the duty to notify others. This article covers the key questions to ask before you make a report.
Are You a Covered Entity Under HIPAA?
Not every healthcare business is a “covered entity” under HIPAA. Just because you handle sensitive health information—or follow HIPAA-like policies—doesn’t mean the law’s breach notification rule applies to you.
To be considered a covered entity, your practice must send certain electronic transactions, such as insurance claims or eligibility checks, to health plans. Most practices that bill insurance fall into this group. However, if you only accept private pay and don’t transmit these transactions, HIPAA’s breach rule might not apply.
Even so, you may be subject to other federal or state privacy laws, as we’ll discuss shortly.
See our related article, “Does HIPAA Apply to You? You Might Not Be Compliant.”
Are You Sure This Is a Breach?
HIPAA defines a breach as the acquisition, access, use, or disclosure of protected health information (PHI) in a way that isn’t permitted under HIPAA’s Privacy Rule and that compromises the security or privacy of the PHI. However, not every privacy incident meets this definition. For example, if there’s a low probability that the PHI was truly compromised, it may not qualify as a breach. A risk assessment is required to make this determination. It should take into account:
- The nature and extent of the PHI involved, including the likelihood that someone could identify the patient
- Who received or accessed the information
- Whether the PHI was actually viewed or acquired
- The steps you took to reduce the risk of further exposure
Alongside these factors, HIPAA outlines several common exceptions to the breach definition:
Did a workforce member access the PHI in good faith?
If the person involved is part of your workforce—such as an employee or contractor—and they accessed PHI by mistake while doing their job, it may not be a breach. This only applies if the access was in good faith and the PHI wasn’t further shared or misused.
Was the PHI sent to another covered entity under HIPAA?
Sharing PHI with another HIPAA-covered entity isn’t always a breach, especially if it was for a permitted purpose like treatment or payment. However, if it was shared for the wrong reason, or with someone not authorized to receive it, it may still be considered a breach.
Could the person who received the PHI actually access it?
If the PHI was encrypted or otherwise unreadable, and the person who received it couldn’t view or understand it, it likely isn’t a breach. What matters is whether the information was protected in a way that made it unusable to unauthorized parties.
Do Other Laws Apply to the Situation?
HIPAA isn’t the only law that matters when PHI is compromised. States and cities often have their own rules. These may trigger separate reporting obligations, even if HIPAA doesn’t.
For example, California’s Confidentiality of Medical Information Act (CMIA) offers some protections that are even more stringent than HIPAA. The Texas Medical Records Privacy Act (TMPRA) applies to a wider range of entities and broadens the definition of PHI. Always consider state law before deciding how to proceed.
While this article focuses on clinical practices, it’s also worth being aware of another federal rule that applies to certain non-HIPAA businesses. The Federal Trade Commission’s (FTC) Health Breach Notification Rule covers some health apps, fitness trackers, and direct-to-consumer platforms that collect or manage personal health records. If your practice uses or partners with tools like these, or if you ever expand into direct-to-consumer services, this rule could come into play. To learn more, see our video, “FTC Health Information Breach Notification Rule.”
Next Steps After an Initial Determination
If you determine that no breach occurred, or that an exception applies, you’re not entirely off the hook. You’ll still need to demonstrate that you made a careful analysis if regulators investigate. That means documenting your risk assessment and the reasoning behind your decision.
Include all documentation in your HIPAA compliance records. If your practice doesn’t already have the mandated written HIPAA policies and procedures, now’s the time to put them in place.
If you confirm a breach occurred, your next steps will depend on how many people were affected. If fewer than 500 individuals were affected, you’re typically required to notify only those individuals directly. If 500 or more were affected, you may also need to notify the U.S. Department of Health and Human Services (HHS) and potentially alert the media.
For a more in-depth discussion of notification requirements, see our article, “Healthcare Data Breaches: What Are Your Legal Obligations for Notifying Affected Parties?”
Get Legal Support
A potential PHI breach is stressful, but you don’t have to navigate it alone. An experienced healthcare attorney can help you determine whether a breach occurred, analyze your obligations, and assist with notifications if needed.
If you operate in one of the states where we have licensed attorneys, schedule a consultation to talk through your next steps.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.
