By Ron Sterling
The HIPAA Omnibus Rules, released in January 2013, will dramatically affect how you manage and deal with the impermissible disclosure and use of Protected Health Information (PHI). Indeed, the new HIPAA Omnibus rules place a burden on your healthcare organization to analyze and document your review of potential PHI breaches. As a practical matter, your healthcare organization could be looking at a substantial problems complying with these requirements unless you strengthen your monitoring strategy.
Under the “old” HIPAA/HITECH Breach rules, a breach required a significant risk of financial, reputational, or other harm to the individual. Under the “new” HIPAA Omnibus rules, a breach is based on a much lower standard of PHI disclosure or use that does not have a low probabilitythat the PHI has been compromised. As important, you can now evaluate potential breaches and document your “good faith evaluation” and “reasonable conclusion.” Alternatively, you can just assume that the event is a breach.
The evaluation is based on four factors:
1. PHI Nature and Extent You can evaluate the sensitivity of the impermissible disclosure as well as the ability to identify the patient or even the presentation options. For example, a list of dated deidentified lab results disclosed with a separate list of patient appointments for the day of the lab would present a higher probability of impermissible disclosure or use. Similarly, PHI scanned images may include patient identifiers and present a higher probability of disclosure.
2. Unauthorized Person Received or Used PHI You must evaluate the recipient of the impermissible disclosure or use to determine the extent of the problem. For example, impermissible disclosure to a party that has been properly trained in HIPAA Privacy and Security who works for a Covered Entity or Business Associate may present a lower probability than the impermissible disclosure of PHI to an employee of your own organization that has not been trained on proper HIPAA Security and Privacy standards.
3. Actual Acquisition or Viewing of PHI In evaluating the problem, you can determine if there was an opportunity to access the PHI. For example, a file of information that requires a special reading program presents a lower probability than a patient record in a PDF file. Similarly, if a device was lost, but upon recovery, you can determine that the device was not accessed, you have a low probability of disclosure or use.
4. Mitigation Factors In the final step of you evaluation, you can determine if there were mitigating issues that leads you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in the HCO, but recovered in a nonpublic area may present a mitigating factor. Indeed, you may reasonably rely on the promises of the party to whom the information was improperly disclosed.
The evaluation of these four factors has to be documented as well as your good faith and reasonable conclusion. If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements.
However, you should seriously consider the implications of the impermissible disclosure and use on your organization. You should:
Examine the events that lead to the impermissible disclosure and use in light of your HIPAA Privacy and Security policies and procedures. Indeed, the impermissible disclosure or use should trigger an analysis of the relevant policies, and procedures as well as supervision and training of employees.
Track all impermissible disclosures (including breaches) to support analysis of problems that may lead to more serious issues in the future. For example, just because you have not graduated to a breach for a number of impermissible disclosures and uses does not mean that you do not have a weakness. Indeed, continuing PHI disclosure and use problems could be an indication of a potential problem and higher risk profile than your breach log shows.
The updated breach rules in the HIPAA Omnibus Rules lower the barriers for a breach and increase the work that you need to do to track impermissible uses and disclosures of PHI. The analysis of impermissible disclosures and use can help you identify weakness and strengthen your Privacy and Security strategies. Alternatively, a history of impermissible uses and disclosures may unfavorably reflect on your effort to protect PHI even if you have avoided an actual breach.
This article was originally published on Avoid EHR Disasters and is used here with permission. Ron Sterling is a nationally recognized expert on EHR implementation, Meaningful Use, and HIPAA Security. He is also host of The EHR Zone, an Internet radio program airing daily at 4 pm Eastern. He can be contacted at firstname.lastname@example.org.