One of the steps to maintaining a HIPAA-compliant healthcare practice is to know and understand what constitutes a data breach. The Health Insurance Portability and Accountability Act (HIPAA) is intended to protect patients' privacy via a set of standards, or Rules. When a breach occurs, the covered entity must notify the Department of Health and Human Services (HHS) within a specified time period (usually 60 days, depending on the severity of the breach). But how does the HHS define a “breach?”
The HHS website gives a pretty good explanation of a HIPAA breach, saying it is “...generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” In other words, a breach occurs when someone accesses Protected Health Information who doesn't have the patient's permission to. This may include a hacker breaking into a healthcare provider's network and stealing patient data, or it may be a lost USB thumb drive that ends up in the wrong hands. If the PHI is accessed by an unauthorized person or entity, it's considered a HIPAA breach.
There are cases in which a data breach isn't technically a HIPAA breach. According to the HHS, if the covered entity demonstrates there as a low risk of PHI being comprised during the incident, it may not be considered a breach. So, how do you demonstrate this? The HHS recommends performing a risk of assessment based on the following four factors:
- Nature and extend of PHI involved, such as the identifiers (if applicable) and risk of re-identification.
- The person who accessed the PHI.
- Whether or not the PHI was viewed (it may have only been acquired or accessed).
- The risk of PHI being disclosed has been mitigate.
Using the criteria above, covered entities may be able to convince the HHS that a breach did not occur. Furthermore, there are several exceptions to the HHS' definition of a data breach.
The first exception occurs when an employee or worker who doesn't have permission to access PHI accidentally accesses it. Assuming this was done without any nefarious intent, the HHS may let it slide. The second exception involves a worker who is authorized to access PHI but accidentally discloses it to someone else who isn't authorized to access it. And the third exception is when the person who accessed the PHI was unable to retain it.