Exceptions to a HIPAA Breach

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

In 2007 the Guide to Medical Privacy Law was published. It indicated that on multiple occasions hospitals, EMT services, schools, and other public agencies were incorrectly withholding news out of a fear of violating HIPAA policy. Often, there isn’t a clear understanding as to what constitutes exceptions to HIPAA and who can say what. The same can be true when it comes to breaches and understanding what exactly it means.

What Are the Rules

The Breach Notification Rule was put in place to require covered entities and business associates to be accountable for providing specific notifications in the event of a breach.

A breach is defined by the U.S. Department of Health and Human Services (HHS) as an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

In simpler terms, if PHI was shared with individuals and entities who don’t have a right to see it, it’s a breach. However, you can utilize the HHS guidelines to establish intent – or lack thereof. A breach is presumed to be a breach unless the covered entity or business associate can demonstrate that the PHI in question has a low probability of being compromised based on the following criteria or factors:

  1. The nature and extent of the PHI involved, including the identifying information and the likelihood of re-identification.
  2. The unauthorized person who used the PHI or to whom the disclosure was made
  3. Whether the PHI was acquired and viewed
  4. The extent to which the risk to the PHI has been mitigated

What Are the Exceptions?

There are three exceptions to the HHS’s definition of a breach. They are:

  1. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
  3. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

This article was originally published on HIPAA Secure Now! and is republished here with permission.