{"id":423,"date":"2017-03-15T12:42:47","date_gmt":"2017-03-15T12:42:47","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=423"},"modified":"2017-03-15T12:42:47","modified_gmt":"2017-03-15T12:42:47","slug":"protected-health-information-has-it-been-compromised","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=423","title":{"rendered":"Protected Health Information: Has it been Compromised?"},"content":{"rendered":"<p><em>Ryan Whitney<br \/>\nManaging Editor<br \/>\nLoyola University Chicago School of Law, JD 2017<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>HIPAA breaches occur on a daily basis. Although undesirable, many of these breaches are not serious enough to require patient notification. But others are more egregious and can cause harm to both the patient and the providing entity. This article outlines a risk assessment guide to help compliance officers determine the seriousness of a HIPAA breach.<\/p>\n<p class=\"p1\"><strong><span class=\"s1\">STEP ONE:<\/span><\/strong><\/p>\n<p class=\"p1\"><span class=\"s1\">The risk analysis should begin with the type of protected health information (\u201cPHI\u201d) disclosed. Remember: there are over 18 types of PHI identifiers, including electronic protected health information (\u201cePHI\u201d). A complete list of identifiers can be found <a href=\"https:\/\/medschool.duke.edu\/research\/clinical-and-translational-research\/duke-office-clinical-research\/irb-and-institutional-14\"><span class=\"s2\">here<\/span><\/a>. The breach\u2019s severity hinges on a couple of factors. First \u2014 the chances that the PHI could lead to adverse consequences to the individual it belongs to. Some, like a social security number, are more damaging to a patient than, say, a license plate number. Second \u2014 the sensitivity of the PHI. Mental health records or an STD diagnosis rank higher on the sensitivity scale than standard blood work or prescriptions for vitamin supplements. Generally speaking, highly sensitive PHI is PHI that could embarrass the patient.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Compliance officers must also consider re-identification. Re-identification refers to the ability of an unauthorized viewer to identify the patient based upon the PHI leaked. An example of PHI with a high likelihood of identification would be a patient\u2019s email address that reads like this: BarrackObama2008@gmail.com. Here, the patient is named. An unauthorized viewer can easily recall or re-identify Barrack Obama as a person who obtained health care services at this given healthcare provider. Barack Obama is a famous and unique name which only furthers an unauthorized viewer\u2019s ability to determine the email user\u2019s real identity. However, an email address such as JohnSmith1985@gmail.com would not risk re-identification to the same extent because the name is extremely common. <\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">As a side note, this is why best practice calls for special flags or security settings attached to the medical records of easily identified members of the community (e.g. celebrities, politicians, members of the clergy, staff members, etc.). <\/span><\/p>\n<p class=\"p1\"><strong><span class=\"s1\">STEP TWO:<\/span><\/strong><\/p>\n<p class=\"p1\"><span class=\"s1\">Once a compliance officer identifies the type of PHI involved, he\/she can turn their attention to the person(s) receiving this PHI. This step is fact specific and compliance officers must rely on their own professional judgment. However, one factor should be considered \u2014 the likelihood that the unauthorized recipient will use the PHI in an way that affects the owner in an adverse manner. Identity thieves prey on stolen medical records. If a hacker obtains PHI through data theft, a compliance officer can assume the hacker does not have good intentions. On the other hand, if a patient receives another patient\u2019s prescription pills by mistake, the likelihood of adverse harm drops significantly. While this step defers to the compliance officer\u2019s judgment, their discernment on step two must also balance against information obtained in step one. For example: an innocent mistake with no chance of adverse harm can still contain highly sensitive information which would require patient notification. <\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Once the compliance officer takes all of the factors into account, he\/she can determine if there is a high probability the PHI has been compromised. If a high probability exists, the compliance officer should then follow a breach notification procedure. If not, then no patient notification is required. Either way, once the compliance officer makes a determination, the risk assessment is complete. But keep in mind that providers should strive to eliminate all HIPAA breaches regardless of their severity. Even if the assessment does not require patient notification, a HIPAA breach can still require re-training or further education to prevent future risk.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ryan Whitney Managing Editor Loyola University Chicago School of Law, JD 2017 &nbsp; HIPAA breaches occur on a daily basis. Although undesirable, many of these breaches are not serious enough to require patient notification. But others are more egregious and can cause harm to both the patient and the providing entity. This article outlines a &#8230;<br \/><a class=\"read-more-link btn btn-outline-secondary\" href=\"https:\/\/blogs.luc.edu\/compliance\/?p=423\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[321,744,1577,1808],"class_list":["post-423","post","type-post","status-publish","format-standard","hentry","category-hipaa-health-information","tag-breach","tag-ephi","tag-phi","tag-security-settings"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=423"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/423\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}