45 CFR §§ 164.400-414– otherwise known as the HIPAA Breach Notification Rule– requires all entities and businesses covered by HIPAA to disclose any breaches of unsecured protected health information (PHI). In order to protect themselves against legal ramifications, such entities and businesses must discern whether the release of PHI was in fact a breach and act expeditiously to notify all affected parties of the potential breach.
What constitutes a HIPAA breach?
A breach as defined by the applicable Federal Regulations is an acquisition, use or disclosure of PHI which compromises the security or privacy of the patient. PHI is individually identifiable health information such as name, date of birth, zip code, fax numbers, email addresses, social security numbers, health plan beneficiary numbers, license plate numbers, etc1. Generally, an impermissible use or disclosure of PHI is presumed to constitute a breach unless there is a low probability that the PHI has been compromised. In order to make this determination, the entity must perform a risk assessment based upon: classification of the nature and extent of the PHI at issue; identification of an unauthorized person using the PHI; determination of the acquisition or use of the PHI or mitigation of risk.
The following three scenarios serve as exceptions and insulate unauthorized disclosure of PHI from constituting a “breach”:
- The acquisition of PHI was unintentional and was made by a worker acting in good faith within his scope of practice under the authority of a covered entity or business associate provided there is no further unpermitted use or disclosure.
- The disclosure of PHI was inadvertent and transpired between two individuals authorized by a covered entity or business associate to have access to PHI provided there is no further unpermitted use or disclosure.
- The covered entity or business associate has a good faith belief that the unauthorized individual who received the PHI would not be able to retain the information.
How Can I Protect My Clients?
In this cyber-friendly world, there is presently no surefire way to protect our clients from suffering HIPAA breaches. As counsel, we can take the following actions to arm our clients with the tools they need to minimize the risk of suffering a breach and to protect them and ourselves from legal ramifications involving HIPAA breaches, if and when they do occur:
1. Educate clients when potential breaches arise and assist them in taking the necessary steps to determine whether or not a breach has in fact occurred.
2. Establish Business Associate Agreements with clients who transmit PHI so that Counsel may assist in representing the HIPAA-covered entity without violating HIPAA when acquiring PHI during representation. Such agreements require the Business Associate to offer the same protection of PHI that the covered entity is required to provide.
3. Encourage clients to review and update HIPAA security measures regularly.
4. Ask clients to identify all areas in their usual course of business where they may receive or maintain PHI as well as all access points to their systems containing PHI.
5. Ensure clients carry sufficient cyber or other liability insurance to cover breaches.
6. Challenge clients to go above and beyond HIPAA’s minimum requirements and to recognize additional opportunities for encryption of PHI.
1There are many other data identifiers requiring protection as outlined in 45 CFR §§ 164.514(e)(2).