Determining Whether a HIPAA Data Breach Occurred

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2015/03/12/determining-whether-a-hipaa-data-breach-occurred/

Covered entities need to be able to determine if a HIPAA data breach has
taken place following the potential exposure of sensitive data. The
implementation of the HIPAA Omnibus Rule slightly changed this process, in
that there were new determining factors for assessing exactly what
constitutes a data breach.

Responding to a HIPAA data breach did not change, but covered entities were
given four factors to review and then conclude if a health data breach had
in fact taken place. Essentially, healthcare facilities must prove that
there is a low probability that PHI was compromised after a risk assessment
of the following factors:

- Determine the nature and extent of PHI involved. This includes finding
the types of identifiers and the likelihood of re-identification;
- Determine who the unauthorized individual was who used the PHI. Moreover,
facilities need to determine who received or viewed the data – if they were
authorized or not;
- Determine if the PHI was actually acquired or viewed;
- Determine the extent to which the risk to the PHI has been mitigated.

“Covered entities and business associates, where applicable, have
discretion to provide the required breach notifications following an
impermissible use or disclosure without performing a risk assessment to
determine the probability that the protected health information has been
compromised,” according to the Department of Health & Human Services’ (HHS)
website.

Essentially, covered entities must first investigate to see what type of
information was exposed. For example, was it just financial information?
Were patients’ medical histories, Social Security numbers, or dates of
birth compromised?

> From there, organizations need to find out who inappropriately disclosed
the PHI. Was it an employee or an outside party? Is the business associate
at fault? This is also important after the implementation of the Omnibus
Rule as more responsibility was given to business associates.

The third factor revolves around covered entities determining if the
exposed PHI was actually viewed or used inappropriately. For example, if an
email containing a database filled with patients’ PHI was sent to an
outside party, did that individual actually open the email? Did he or she
forward the information to anyone else?

Finally, healthcare organizations must show if corrective action has
already been taken. Essentially, did the covered entity already make the
necessary security changes to ensure that the PHI exposure is lessened as
much as possible? For example, if an unencrypted laptop was accessed, did
the entity add passwords and or encryption options?

Exceptions to the HIPAA data breach

It is also important to note that there are three exceptions to the data
breach definition, according to HHS. First, if the acquisition of PHI is
unintentional and done by an employee or individual “acting under the
authority of a covered entity or business associate,” then a data breach
may not have taken place. This also holds true for how the PHI is accessed
or used. Essentially, if the PHI is accessed, acquired or used “in good
faith” there may not be an issue.

The second exception is when an authorized person inadvertently discloses
PHI at a covered entity or business associate to another person who is
authorized to access such data at the facility. For example, if one doctor
at a hospital discloses PHI to another doctor at the same hospital, an
exception to the HIPAA data breach could be made. However, the data in
question must not be further used in any way that violates the HIPAA
Privacy Rule.

Finally, an exception to the HIPAA data breach can occur “if the covered
entity or business associate has a good faith belief that the unauthorized
person to whom the impermissible disclosure was made, would not have been
able to retain the information.” Essentially, if a doctor who receives PHI,
and his hospital does not think that there is a way for him to have saved
or stored the information, an exception could potentially be found.

Overall, the key thing to remember in terms of HIPAA data breaches is if
the incident involved unsecured PHI. The data needs to have been made
“unusable, unreadable, or indecipherable to unauthorized persons through
the use of a technology or methodology specified by the Secretary in
guidance.” Covered entities need to follow the guidelines put forth in the
HIPAA Security Rule to ensure that sensitive data has the necessary
protections. That way, even if a data breach occurs, healthcare
organizations can potentially avoid certain federal fines.

A HIPAA data breach is not always the outcome of a healthcare facility’s
security measures being infiltrated. However, it is essential that covered
entities are able to determine if this type of breach occurred and know how
to take next step.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!