Protected Health Information Breaches: What They Are
Jeannine LeCompte, Compliance Research Specialist
The Oregon Department of Human Services disclosed in March 2019 that millions of agency emails had been breached in January, potentially exposing the medical information of at least 350,000 people.
A Massachusetts hospital recently alerted 6,300 patients that some of their Protected Health Information (PHI) was exposed due to a security breach at a third-party vendor.
According to a recent Bitglass report, healthcare organizations reported 290 breaches in 2018, with 11.5 million records compromised.
Protecting the information of patients and residents has become one of the biggest issues—and concerns—of healthcare facilities, and the failure to protect such data can lead to substantial financial penalties, civil suits, and sanction by the authorities.
It is an operational necessity that all healthcare facility staff members have a clear understanding of what constitutes a PHI breach, how to avoid one, and what to do should one occur.
According to the official guidelines provided by the Centers for Medicare and Medicaid Services (CMS), a breach is defined as “any impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
The Privacy Rule is a legally established code which sets national standards to protect individuals’ medical records and other PHI. It applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically.
According to the U.S. Department of Health & Human Services (HHS), this rule requires “appropriate safeguards” to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
An “impermissible use or disclosure” of PHI is always presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
There are three exceptions to the definition of “breach.”
The first exception applies to the unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
The second exception applies to the inadvertent disclosure of PHI by a person authorized to access PHI to another authorized person within the same organization, as long as that information is not used or disclosed in a manner not permitted by the Privacy Rule.
The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.