There's Been a Breach: What to do When PHI is Compromised
By Molly Adrian, JD, Legal Risk Management Consultant, Mutual Insurance Company of Arizona
Digital - June 2023
HIPAA covered entities and their business associates must safeguard patients’ protected health information (“PHI”) from impermissible uses and disclosures. However, threats to PHI security abound and it is imperative to know how to respond if a breach occurs to limit your liability exposure. The scenarios below are just a few examples of what may constitute a HIPAA breach. The information that follows will help you take the necessary and required steps when you suspect a breach has occurred.
What is a Breach?
A breach is defined as “an impermissible use or disclosure…that compromises the security or privacy of the protected health information.”[i] A breach is presumed to have occurred unless the covered entity or business associate demonstrates and documents a low probability that the PHI has been compromised based on a risk assessment of at least the following:
-
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
-
The unauthorized person who used the PHI or to whom the disclosure was made;
-
Whether the PHI was actually acquired or viewed; and
-
The extent to which the risk to the PHI has been mitigated.[ii]
There are also three exceptions to the definition of a breach, which are described on the U.S. Department of Health and Human Services website here.[iii]
What Might a Breach Look Like?
EHR Snooping: A new patient arrives to your clinic and your front desk employee recognizes the patient as his high school math teacher. Even though the employee is not involved in clinical care, he is curious about his former teacher’s health problems, and accesses their record after you enter visit notes. The employee then texts a few of his old friends and reveals the teacher’s PHI.
The employee should only be able to access the PHI which is necessary to do his job, and certainly should not disperse a patient’s PHI outside the practice.
Stolen Laptop: Every evening after seeing patients all day, you take your laptop home so you can finish documenting patient visits. One evening, you stop to pick up dinner on the way, leaving your laptop on the passenger seat. Ten minutes later, you get back to your car and realize someone broke the passenger window and stole the laptop. Your stomach is in knots when you remember you taped your EHR password next to the mouse pad on the laptop. Whoever took the laptop now has access to each of your patients’ medical and billing records.
Though you cannot be sure that the thief will access patient data, it would be easy for them to do so and use sensitive information for nefarious purposes.
Records Disposal: You have run a small internal medicine practice for 20 years and always preferred paper records over an electronic health record. You realize that you have records on your shelves from patients you have not seen in more than ten years, and it is time to clear those records out. You ask your new front office staff member (who is not yet HIPAA trained) to take on the task, and you do not specify the proper way to discard the records. Your employee does not cross-shred the documents and simply disposes of them in the dumpster behind your practice, leaving hundreds of patients’ PHI vulnerable.
Anyone walking by the dumpster could take patient files and find information on your patients, such as social security numbers, which a thief could use to exploit your patients.
Ransomware: You come to work one morning and upon turning on your computer, get a message that hackers have encrypted all your patient records through a ransomware attack and the records will be destroyed within five days if you do not pay a ransom.
You have lost control over your patient’s records. Their sensitive information is vulnerable to exploitation, and you may have lost information necessary to ensure the patients’ continuity of care.
​
What Next?
1. Contain the breach and mitigate the harm. Take steps such as removing the unauthorized person’s access, taking appropriate employment action, contacting your electronic health record vendor, and retrieving physical records if possible. Consider offering your patients credit monitoring or identity theft protection services.
2. Contact entities and individuals who can help. Call your professional liability insurance company and contact a health care attorney in your community.
3. Assess the extent of the breach and notify affected individuals. Notification requirements for a breach affecting 500 or more individuals are different than for smaller breaches.
a. A breach affecting 500 or more individuals:
i. Notify affected individuals in written form by first-class mail or e-mail if the individual has agreed to receive such notification electronically. If contact information is insufficient for 10 or more individuals, provide substitute notice for at least 90 days via the practice website or through major media outlets. Provide notification without unreasonable delay but no later than 60 days following the discovery of a breach. Include:
1. a description of the breach;
2. the type of information involved;
3. steps the individuals should take to protect themselves;
4. what the entity is doing to investigate the breach;
5.what the entity is doing to mitigate the harm and prevent another breach; and
6. contact information so the affected individuals can ask questions.
ii. Notify the media. Notify prominent media outlets in the state or jurisdiction without unreasonable delay but no later than 60 days following the discovery of the breach. Include the same information required for the individual notification.
iii. Notify the Secretary of the Department of Health and Human Services. The electronic notification form can be found here.[iv] Notification must be made without unreasonable delay but no later than 60 days from the discovery of the breach.
b. A breach affecting fewer than 500 individuals.
i.Notify affected individuals in written form by first-class mail or e-mail if the individual has agreed to receive such notification electronically. If contact information is insufficient for 10 or more individuals, provide substitute notice for at least 90 days via the practice website or through major media outlets. Provide notification without unreasonable delay but no later than 60 days following the discovery of a breach. Include:
1. a description of the breach;
2. the type of information involved;
3. steps the individuals should take to protect themselves;
4. what the entity is doing to investigate the breach;
5. what the entity is doing to mitigate the harm and prevent another breach; and
6. contact information so the affected individuals can ask questions.
ii. Notify the Secretary of the Department of Health and Human Services. The electronic notification form can be found here.[v] Notification may be made on an annual basis.
4. Review and revise policies and procedures. Conduct a review of your HIPAA policies and procedures and revise them as needed to prevent future breaches.
5. Document everything. Document all steps taken in response to the breach, including the risk assessment, notifications, containment efforts, and mitigation efforts. This documentation will be important to show compliance with HIPAA regulations should the Department of Health and Human Services Office for Civil Rights investigate your privacy practices.
It is important to take proper action to protect the privacy and security of your patients’ PHI. If you are not sure what to do or need additional guidance, you may want to consult with your professional liability insurance company, a HIPAA compliance professional, or a healthcare attorney in your area.
​
About the Author:
Molly Adrian, JD, is a Legal Risk Consultant with the Mutual Insurance Company of Arizona (MICA). Prior to joining MICA, Molly practiced as an Assistant Attorney General working with various programs within the Arizona Department of Health Services, and later moved into private practice where she worked to defend healthcare practitioners and institutions from allegations of medical malpractice. In her role as part of MICA’s risk management services department, she is committed to using her background and experience to provide MICA’s insured clients with sound risk management advice and resources to help foster quality patient care while minimizing liability exposure.
Citations:
[i] https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
[ii] https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
[iii] Id.
[iv] https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
[v] https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html