Investigations into the misuse of protected health information under the Health Information Portability and Accountability Act, or HIPAA, sound about as fun as a colonoscopy, but like the important screening test, they’re necessary. And according to Tabatha George in a recent article for Fisher & Phillips, new regulations have changed some fundamental aspects of HIPAA compliance, including what constitutes a “breach” under the guidelines.
“Previously, a breach occurred only if there was a significant risk of financial, reputation or other harm to the individual,” notes George. But under the new regulations, the “harm standard” is removed and replaced with a four-part risk assessment, she says.
1. Nature and extent of personal information: Is the information sensitive? Can the person be identified because of the breach? Will they suffer financial or reputation harm? These are questions that must be considered. George says that things like Social Security numbers would be sensitive, whereas a state or city identifier, not so much.
2. The unauthorized person: George says the person who used, accessed or received the personal health information must be assessed. Considerations such as whether he/she is trained in HIPAA compliance, has an obligation to protect privacy, and security of information or a track record of protecting similar information will all be taken into account.
3. Actual use or acquisition: There may be technology to confirm that though there was the ability to, nobody actually viewed the protected information. Alternatively, there may be a way to lock a lost cell phone or other device or destroy files remotely.
4. Mitigation: The last step is an evaluation of whether the risk has been mitigated or exacerbated. A factor to consider is how easily the information can be duplicated, if it’s no longer in the health provider’s possession.
