Catherine Boerner (cboerner@boernerconsultingllc.com), President of Boerner Consulting LLC in New Berlin, WI.
I thought it would be a good time to write about privacy breach risk assessments. I often find that as there is turnover in the compliance department, privacy professionals may need a refresher on how to think about and analyze privacy breaches when performing breach risk assessments. Privacy breaches may or may not need to be “reportable” breaches to the patient and the Office for Civil Rights. It is important to remember that an impermissible use or disclosure of protected health information (PHI) is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised.
As those of you seasoned privacy professionals know, the standard changed in 2013 from the harm standard to evaluating with a four-factor test whether there has been a low probability of compromise.[1] This was a major change at the time because everyone was thinking about and analyzing whether the breach really caused the person any harm. It was very subjective. Assessing whether we think the person was or could be harmed from the breach of their information is not relevant anymore. You really just need to assess the probability of the information having been “compromised.”
Remember, before you even get to the four-factor test, the first step to consider is whether an “exception” applies.
There are three exceptions to the definition of “breach.”[2] In summary:
-
Good faith, unintentional acquisition, access, or use by an employee/workforce member acting within the scope of authority and that is not further used or disclosed (e.g., “A billing employee receives and opens an e-mail containing protected health information about a patient which a nurse mistakenly sent to the billing employee”).
-
Inadvertent disclosure by one authorized person to another authorized person doing a job at the same covered entity.
-
Recipient could not reasonably have retained the data. For example, a few explanation of benefits (EOBs) sent to the wrong individuals are returned by the post office, unopened, as undeliverable. You can conclude that they could not reasonably have retained the information. The EOBs that were not returned as undeliverable, however, and you know were sent to the wrong individuals, should be treated as breaches.
A good resource to review when thinking about the four-factor test is the HIPAA Collaborative of Wisconsin (HIPAA COW) Draft 2013 Omnibus Rule Version Breach Notification Policy and its attachments, including “Examples of Violations and Notification Recommendations.”[3] These examples can help your team with the decision to notify patients and the Office for Civil Rights.