As a HIPAA-covered entity, your medical establishment is required by the HIPAA Breach Notification Rule to provide notification following a breach of unsecured protected health information (PHI). Depending on the number of individuals your PHI breach affects, you may need to notify each affected individual, the Secretary of the U.S. Department of Health and Human Services (HHS), and the media.
But determining whether to report a privacy breach—that is, determining whether an incident qualifies as a reportable breach—is not so straightforward, attests industry expert Jim Sheldon-Dean in his audio conference for ProfEdOnDemand, “HIPAA Breach Evaluation and Reporting.” That’s why you must correctly conduct a HIPAA Breach Evaluation and implement a breach notification policy so you know how to follow through when an incident occurs.
HIPAA Breach Evaluation
To determine whether you must report an infraction, you need to first determine if it fits the definition of a HIPAA breach. First and foremost, a breach compromises the PHI’s security or privacy. But that’s a pretty broad description that needs further analysis.
The incident may not be a breach if you can determine a low likelihood that the PHI was compromised based on four key factors:
- What the data is and how well identified it is;
- To whom the data was released and what obligations they have to protect the information;
- Whether the information was actually exposed; and
- Whether the incident has been mitigated properly.
HIPAA Breach Reporting
Once you determine an incident is in fact a PHI breach, you must begin the notification process.
What next: The steps you take—and how quickly you take them—depend on the number of individuals affected by the breach:
- Fewer than 500 individuals: You’ll notify the individuals promptly and the HHS Secretary no later than 60 days past the end of the calendar year in which you discovered the breach.
- 500 or more individuals. You’ll notify the individuals and the HHS Secretary promptly, no later than 60 days following the breach.
- More than 500 residents of a state or jurisdiction: You’ll notify the individuals and the HHS Secretary promptly, no later than 60 days after the breach; you’ll also notify the prominent media outlets that serve that state or jurisdiction.
Incidents That Incur Data Risk
The best way to avoid a HIPAA breach is to eliminate the incidents that lead to them in the first place. Here are a few common causes of HIPAA breaches, preventative measures of which should be included in your HIPAA training:
- Human error. Because of the amount of data employees handle, it should come as no surprise that human error is ranked the number one cause of data breach according to the 2018 Verizon Protected Health Information Data Breach Report. Of these errors, mis-delivery (sending sensitive information to the wrong person) is the most common type of error, followed by disposing of sensitive data in an insecure manner and physically misplacing data.
- Improper mailings. While mis-delivery can be caused by human error, such as emailing a file to the wrong person, software malfunction sometimes plays a part, too. For example, improper mailings—such as sending medical records, plan information, or statements to the wrong patient—can create a large-scale HIPAA violation. In one such case, Pulse Systems of Kansas City, mis-mailed statements that inadvertently disclosed information on 722 individuals, reported com.
- Stolen devices. Employees should take extra precautions with laptops and mobile devices that contain PHI, whose theft can create a HIPPA breach. “Mobile devices are the most vulnerable to theft because of their size,” says Becker Hospital Review. Best practice: Follow this encryption guidance from HHS to render PHI unusable, unreadable, or indecipherable to unauthorized individuals who acquire these devices.
- Misusing social media. Don’t ever post a picture of a patient on social media without their written consent. “While it may seem harmless if a name is not mentioned, someone may recognize the patient and know the doctor’s specialty, which is a breach of the patient’s privacy,” asserts Becker Hospital Review. Other common HIPAA social media violations include gossiping about patients and posting images that display patients’ PHI, according to hippajournal.
Remaining HIPAA-compliant and avoiding fines is no easy task! You must know the common causes of breaches to successfully avoid them.
Plus, you must know how to perform risk analysis to determine the necessity to report when a breach does happen. In his conference, Sheldon-Dean covers HIPAA breach reporting in depth—and shows you how to create to the right breach notification policy for your medical establishment so that you know exactly what to do when an incident occurs.