Loyola University Chicago School of Law, JD 2017
HIPAA breaches occur on a daily basis. Although undesirable, many of these breaches are not serious enough to require patient notification. But others are more egregious and can cause harm to both the patient and the providing entity. This article outlines a risk assessment guide to help compliance officers determine the seriousness of a HIPAA breach.
The risk analysis should begin with the type of protected health information (“PHI”) disclosed. Remember: there are over 18 types of PHI identifiers, including electronic protected health information (“ePHI”). A complete list of identifiers can be found here. The breach’s severity hinges on a couple of factors. First — the chances that the PHI could lead to adverse consequences to the individual it belongs to. Some, like a social security number, are more damaging to a patient than, say, a license plate number. Second — the sensitivity of the PHI. Mental health records or an STD diagnosis rank higher on the sensitivity scale than standard blood work or prescriptions for vitamin supplements. Generally speaking, highly sensitive PHI is PHI that could embarrass the patient.
Compliance officers must also consider re-identification. Re-identification refers to the ability of an unauthorized viewer to identify the patient based upon the PHI leaked. An example of PHI with a high likelihood of identification would be a patient’s email address that reads like this: BarrackObama2008@gmail.com. Here, the patient is named. An unauthorized viewer can easily recall or re-identify Barrack Obama as a person who obtained health care services at this given healthcare provider. Barack Obama is a famous and unique name which only furthers an unauthorized viewer’s ability to determine the email user’s real identity. However, an email address such as JohnSmith1985@gmail.com would not risk re-identification to the same extent because the name is extremely common.
As a side note, this is why best practice calls for special flags or security settings attached to the medical records of easily identified members of the community (e.g. celebrities, politicians, members of the clergy, staff members, etc.).
Once a compliance officer identifies the type of PHI involved, he/she can turn their attention to the person(s) receiving this PHI. This step is fact specific and compliance officers must rely on their own professional judgment. However, one factor should be considered — the likelihood that the unauthorized recipient will use the PHI in an way that affects the owner in an adverse manner. Identity thieves prey on stolen medical records. If a hacker obtains PHI through data theft, a compliance officer can assume the hacker does not have good intentions. On the other hand, if a patient receives another patient’s prescription pills by mistake, the likelihood of adverse harm drops significantly. While this step defers to the compliance officer’s judgment, their discernment on step two must also balance against information obtained in step one. For example: an innocent mistake with no chance of adverse harm can still contain highly sensitive information which would require patient notification.
Once the compliance officer takes all of the factors into account, he/she can determine if there is a high probability the PHI has been compromised. If a high probability exists, the compliance officer should then follow a breach notification procedure. If not, then no patient notification is required. Either way, once the compliance officer makes a determination, the risk assessment is complete. But keep in mind that providers should strive to eliminate all HIPAA breaches regardless of their severity. Even if the assessment does not require patient notification, a HIPAA breach can still require re-training or further education to prevent future risk.