Home |  Contact |  Site Map

 
  Firm Information  |  Attorneys  |  Industries   |  Practices   |  Publications   |  Seminars   |  Recruiting   |  Resource Centers
 

Search HIPAA






Related Services

Health Care
Insurance
Employment
 
   Health & Insurance

Return to HIPAA Regulations Index

Download changes to HIPAA contained in the 2009 Federal Stimulus Bill H.R. 1

Definitions: Breach
SECTION 164.402
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information

HHS Regulations
Definitions: Breach - § 164.402

As used in this subpart, the following terms have the following meanings:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

  1.  

    1. For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

    2. A use or disclosure of protected health information that does not include the identifiers listed at § 164.514(e)(2), date of birth, and zip code does not compromise the security or privacy of the protected health information.

  2. Breach excludes:

    1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

    2. Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

    3. A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

HHS Description and Commentary
Definitions: Breach

Section 13402 of the Act and this interim final rule require covered entities and business associates to provide notification following a breach of unsecured protected health information. Section 13400(1)(A) of the Act defines “breach” as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Section 13400(1)(B) of the Act provides several exceptions to the definition of “breach.” Based on § 13400(1)(A), we have defined “breach” at § 164.402 of the interim final rule as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” We have added paragraph (1) to the definition to clarify when the security or privacy of information is considered to be compromised. Paragraph (2) of the definition then includes the statutory exceptions, including the exception within § 13400(1)(A) that refers to whether the recipient would reasonably have been able to retain the information.

Protected Health Information

We note that the definition of “breach” is limited to protected health information. With respect to a covered entity or business associate of a covered entity, protected health information is individually identifiable health information that is transmitted or maintained in any form or medium, including electronic information. 45 CFR 160.103. If information is de-identified in accordance with 45 CFR 164.514(b), it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart. Additionally, § 160.103 excludes certain types of individually identifiable health information from the definition of “protected health information,” such as employment records held by a covered entity in its role as employer. If individually identifiable health information that is not protected health information is used or disclosed in an unauthorized manner, it would not qualify as a breach for purposes of this subpart – although the covered entity should consider whether it has notification requirements under other laws. Further, we note that although the definition of “breach” applies to protected health information generally, covered entities and business associates are required to provide the breach notifications required by the Act and this interim final rule (discussed below) only upon a breach of unsecured protected health information. See also Section II of this document for a list of the technologies and methodologies that render protected health information secure such that notification is not required in the event of a breach.

Unauthorized Acquisition, Access, Use, or Disclosure The statute defines a “breach” as the “unauthorized” acquisition, access, use, or disclosure of protected health information. Several commenters asked that we define “unauthorized” or that we clarify its meaning. We clarify that “unauthorized” is an impermissible use or disclosure of protected health information under the HIPAA Privacy Rule (subpart E of 45 CFR part 164). Accordingly, the definition of “breach” at § 160.402 of the interim final rule interprets the “unauthorized acquisition, access, use, or disclosure of protected health information” as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part.”

We emphasize that not all violations of the Privacy Rule will be breaches under this subpart, and therefore, covered entities and business associates need not provide breach notification in all cases of impermissible uses and disclosures. We also note that the HIPAA Security Rule provides for administrative, physical, and technical safeguards and organizational requirements for electronic protected health information, but does not govern uses and disclosures of protected health information. Accordingly, a violation of the Security Rule does not itself constitute a potential breach under this subpart, although such a violation may lead to a use or disclosure of protected health information that is not permitted under the Privacy Rule and thus, may potentially be a breach under this subpart.

The Act does not define the terms “acquisition” and “access.” Several commenters asked that we define or identify the differences between acquisition, access, use, and disclosure of protected health information, for purposes of the definition of “breach.” We interpret “acquisition” and “access” to information based on their plain meanings and believe that both terms are encompassed within the current definitions of “use” and “disclosure” in the HIPAA Rules. Accordingly, we have not added separate definitions for these terms. We have retained the statutory terms in the regulation in order to maintain consistency with the statute. In addition, we note that while the HIPAA Security Rule at § 164.304 includes a definition of the term “access,” such definition is limited to the ability to use “system resources” and not to access to information more generally and thus, we have revised that definition to make clear that it does not apply for purposes of these breach notification rules.

For an acquisition, access, use, or disclosure of protected health information to constitute a breach, it must constitute a violation of the Privacy Rule. Therefore, one of the first steps in determining whether notification is necessary under this subpart is to determine whether a use or disclosure violates the Privacy Rule. We note that uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d), may qualify as breaches under this subpart. In contrast, a use or disclosure of protected health information that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule

Compromises the Security or Privacy of Protected Health Information

The Act and regulation next limit the definition of “breach” to a use or disclosure that “compromises the security or privacy” of the protected health information. Accordingly, once it is established that a use or disclosure violates the Privacy Rule, the covered entity must determine whether the violation compromises the security or privacy of the protected health information.

For the purposes of the definition of “breach,” many commenters suggested that we add a harm threshold such that an unauthorized use or disclosure of protected health information is considered a breach only if the use or disclosure poses some harm to the individual. These commenters noted that the “compromises the security or privacy” language in § 13400(1)(A) of the Act contemplates that covered entities will perform some type of risk assessment to determine if there is a risk of harm to the individual, and therefore, if a breach has occurred. Commenters urged that the addition of a harm threshold to the definition would also align this regulation with many State breach notification laws that require entities to reach similar harm thresholds before providing notification. Finally, some commenters noted that failure to include a harm threshold for requiring breach notification may diminish the impact of notifications received by individuals, as individuals may be flooded with notifications for breaches that pose no may cause unwarranted panic in individuals, and the expenditure of undue costs and other resources by individuals in remedial action.

We agree that the statutory language encompasses a harm threshold and have clarified in paragraph (1) of the definition that “compromises the security or privacy of the protected health information” means “poses a significant risk of financial, reputational, or other harm to the individual.” This ensures better consistency and alignment with State breach notification laws, as well as existing obligations on Federal agencies (some of which also must comply with these rules as HIPAA covered entities) pursuant to OMB Memorandum M-07-16 to have in place breach notification policies for personally identifiable information that take into account the likely risk of harm caused by a breach in determining whether breach notification is required. Thus, to determine if an impermissible use or disclosure of protected health information constitutes a breach, covered entities and business associates will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, covered entities and business associates may need to consider a number or combination of factors, some of which are described below.

Covered entities and business associates should consider who impermissibly used or to whom the information was impermissibly disclosed when evaluating the risk of harm to individuals. If, for example, protected health information is impermissibly disclosed to another entity governed by the HIPAA Privacy and Security Rules or to a Federal agency that is obligated to comply with the Privacy Act of 1974 (5 USC 552a) and the Federal Information Security Management Act of 2002 (44 USC 3541 et seq.), there may be less risk of harm to the individual, since the recipient entity is obligated to protect the privacy and security of the information it received in the same or similar manner as the entity that disclosed the information. In contrast, if protected health information is impermissibly disclosed to any entity or person that does not have similar obligations to maintain the privacy and security of the information, the risk of harm to the individual is much greater.

We expect that there may be circumstances where a covered entity takes immediate steps to mitigate an impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. If such steps eliminate or reduce the risk of harm to the individual to a less than “significant risk,” then we interpret that the security and privacy of the information has not been compromised and, therefore, no breach has occurred.

In addition, there may be circumstances where impermissibly disclosed protected health information is returned prior to it being accessed for an improper purpose. For example, if a laptop is lost or stolen and then recovered, and a forensic analysis of the computer shows that its information was not opened, altered, transferred, or otherwise compromised, such a breach may not pose a significant risk of harm to the individuals whose information was on the laptop. Note, however, that if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.

In performing a risk assessment, covered entities and business associates should also consider the type and amount of protected health information involved in the impermissible use or disclosure. If the nature of the protected health information does not pose a significant risk of financial, reputational, or other harm, then the violation is not a breach. For example, if a covered entity improperly discloses protected health information that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program or if the protected health information includes information that increases the risk of identity theft (such as a social security number, account number, or mother’s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information. The risk assessment should be fact specific, and the covered entity or business associate should keep in mind that many forms of health information, not just information about sexually transmitted diseases or mental health, should be considered sensitive for purposes of the risk of reputational harm – especially in light of fears about employment discrimination.

We also address impermissible uses and disclosures involving limited data sets (as the term is used at 45 CFR 164.514(e) of the Privacy Rule), in paragraph (1) of the definition of “breach” at § 164.402 of the interim final rule. In the RFI discussed above, we asked for public comment on whether limited data sets should be considered unusable, unreadable, or indecipherable and included as a methodology in the guidance. A limited data set is created by removing the 16 direct identifiers listed in § 164.514(e)(2) from the protected health information. These direct identifiers include the name, address, social security number, and account number of an individual or the individual’s relative, employer, or household member. When these 16 direct identifiers are removed from the protected health information, the information is not completely de-identified pursuant to 45 CFR 164.514(b). In particular, the elements of dates, such as dates of birth, and zip codes, are allowed to remain within the limited data set, which increase the potential for re-identification of the information. Because there is a risk of reidentification of the information within a limited data set, the Privacy Rule treats this information as protected health information that may only be used or disclosed as permitted by the Privacy Rule.

Several commenters suggested that the limited data set should not be included in the guidance as a method to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required. These commenters cited concerns about the risk of re-identification of protected health information in a limited data set and noted that, as more data exists in electronic form and as more data becomes public, it will be easier to combine these various sources to reestablish the identity of the individual. Furthermore, due to the risk of re-identification, these commenters stated that creating a limited data set was not comparable to encrypting information, and therefore, should not be included as a method to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

The majority of commenters, however, did support the inclusion of the limited data set in the guidance. These commenters stated that it would be impractical to require covered entities and business associates to notify individuals of a breach of information within a limited data set because, by definition, such information excludes the very identifiers that would enable covered entities and business associates, without undue burden, to identify the affected individuals and comply with the breach notification requirements. Additionally, these commenters cited contractual concerns regarding the data use agreement, which prohibits the recipient of a limited data set from re-identifying the information and therefore, may pose problems with complying with the notification requirements of § 13402(b) of the Act. These commenters also noted that the decision to exclude the limited data set from the guidance, such that a breach of a limited data set would require breach notification, would reduce the likelihood that covered entities would continue to create and share limited data sets. This, in turn, would have a chilling effect on the research and public health communities, which rely on receiving information from covered entities in limited data set form.

Finally, commenters noted that the removal of the 16 direct identifiers in the limited data set presents a minimal risk of serious harm to the individual by limiting the possibility that the information could be used for an illicit purpose if breached. These commenters also suggested that the inclusion of the limited data set in the guidance would align with most state breach notification laws, which, as a general matter, only require notification when certain identifiers are exposed and when there is a likelihood that the breach will result in harm to the individual.

We also asked commenters if they believed that the removal of an individual’s date of birth or zip code, in addition to the 16 direct identifiers in 45 CFR 164.514(e)(2), would reduce the risk of re-identification of the information such that it could be included in the guidance. Several commenters responded to this question. While some stated that the removal of these data elements would render the information useless to the research and public health communities, which may, for example, require zip codes for many population based studies, many commenters did acknowledge that the removal of these additional identifiers would reduce the risk of re-identification of the information.

After considering these comments, we decided against including the limited data set in the guidance as a method for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals due to the potential risk of reidentification of this information. However, we address breaches of limited data sets in the definition of “breach” as follows. Under the definition of “breach” at § 164.402, in order to determine whether a covered entity’s or business associate’s impermissible use or disclosure of protected health information constitutes a breach, the covered entity or business associate will need to perform the risk assessment discussed above. This applies to impermissible uses or disclosures of protected health information that constitute a limited data set, unless, as discussed below, the protected health information also does not include zip codes or dates of birth. In performing the risk assessment to determine the likely risk of harm caused by an impermissible use or disclosure of a limited data set, the covered entity or business associate should take into consideration the risk of re-identification of the protected health information contained in the limited data set.

Through a risk assessment, a covered entity or business associate may determine that the risk of identifying a particular individual is so small that the use or disclosure poses no significant risk of harm to any individuals. For example, it may be determined that an impermissible use or disclosures of a limited data set that includes zip codes, based on the population features of those zip codes, does not create a significant risk that a particular individual can be identified. Therefore, there would be no significant risk of harm to the individual. If there is no significant risk of harm to the individual, then no breach has occurred and no notification is required. If, however, the covered entity or business associate determines that the individual can be identified based on the information disclosed, and there is otherwise a significant risk of harm to the individual, then breach notification is required, unless one of the other exceptions discussed below applies.

We have provided a narrow, explicit exception to what compromises the privacy or security of protected health information for a use or disclosure of protected health information that excludes the 16 direct identifiers listed at 45 CFR 164.514(e)(2) as well as dates of birth and zip codes. Thus, we deem an impermissible use or disclosure of this information to not compromise the security or privacy of the protected health information, because we believe that impermissible uses or disclosures of this information – if subjected to the type of risk assessment described above – would pose a low level of risk. We emphasize that this is a narrow exception. If, for example, the information does not contain birth dates but does contain zip code information or contains both birth dates and zip code information, then this narrow exception would not apply, and the covered entity or business associate would be required to perform a risk assessment to determine if the risk of re-identification poses a significant risk of harm to the individual. We invite comments on this narrow exception. We do not believe that this narrow exception will have the unintended consequence of discouraging the use of encryption and other methods for rendering protected health information unusable, unreadable, or indecipherable; however, we invite comments on this issue as well. Finally, we note that this narrow exception should not be construed as encouraging or permitting the use or disclosure of more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d).

We do not intend to interfere with research or public health activities that rely on dates of birth or zip codes. Uses and disclosures of limited data sets that include this information continue to be permissible under the Privacy Rule if the applicable requirements, such as a data use agreement, are satisfied. Further, we note that a covered entity or business associate is not responsible for a breach by a third party to whom it permissibly disclosed protected health information, including limited data sets, unless the third party received the information in its role as an agent of the covered entity or business associate. To the extent that a third party recipient of the information is itself a covered entity, and the information is breached while at the third party (i.e., used or disclosed in an impermissible manner and in a manner determined to compromise the privacy or security of the information), then the third party will be responsible for is the recipient of a limited data set pursuant to § 164.514(e) of the Privacy Rule and it is unable to re-identify the individuals after a breach occurs, it may satisfy the requirements of § 164.404 without re-identifying the information, by providing substitute notice to the individuals as required by paragraph (d)(2) of that section.

We note that the discussion above regarding “limited data sets” applies to any protected health information that excludes the 16 direct identifiers listed at §164.514(e)(2), regardless of whether the information is used for health care operations, public health, or research purposes (see §164.514(e)(3)(i)), and is subject to a data use agreement under § 164.514(e) of the Privacy Rule. Thus, for example, a covered entity that impermissibly uses or discloses data that is stripped of the 16 direct identifiers described above, zip codes, and dates of birth, may take advantage of the exception to what is a breach, regardless of the intended purpose of the use or disclosure or whether a data use agreement was in place.

With respect to any type of protected health information, we note that § 164.414, discussed below, gives covered entities and business associates the burden of demonstrating that no breach has occurred because the impermissible use or disclosure did not pose a significant risk of harm to the individual. Covered entities and business associates must document their risk assessments, so that they can demonstrate, if necessary, that no breach notification was required following an impermissible use or disclosure of protected health information. For impermissible uses or disclosures of protected health information that fall under the narrow exception at paragraph (1)(ii) of this definition, which do not qualify as breaches because the protected health information is a limited data set that does not include zip codes or dates or birth, documentation that demonstrates that the lost information did not include these identifiers will suffice.

Exceptions to Breach

Section 13400(1) of the Act also includes three exceptions to the definition of “breach” that encompass situations Congress clearly intended to not constitute breaches: (1) unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate (§ 13400(1)(B)(i)); (2) inadvertent disclosure of protected health information from one person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate (§ 13400(1)(B)(ii) and (iii)); and (3) unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information (§ 13400(1)(A)). We have included these three exceptions as paragraphs (2)(i), (ii), and (iii), respectively.

The first regulatory exception at paragraph (2)(i) of this definition, for unintentional acquisition, access, or use of protected health information, generally mirrors the exception in § 13400(1)(B)(i) of the Act. This statutory section excepts from the definition of “breach” the unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or a business associate, if the acquisition, access, or use was made in good faith, within the course and scope of employment or other professional relationship, and does not result in further use or disclosure.

We modified the statutory language to use “workforce members” instead of employees. Workforce member is a defined term in 45 CFR 160.103 and means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.”

A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity. Similarly, to determine whether the access, acquisition, or use was made “within the scope of authority,” the covered entity or business associate should consider whether the person was acting on its behalf at the time of the inadvertent acquisition, access, or use.

Additionally, while the statutory language provides that this exception applies where the recipient does not further use or disclose the information, we have interpreted this exception as encompassing circumstances where the recipient does not further use or disclose the information in a manner not permitted under the Privacy Rule. In circumstances where any further use or disclosure of the information is permissible under the Privacy Rule, we interpret that there is no breach because the security and privacy of the information has not been compromised by any such permissible use or disclosure.

To illustrate this exception, we offer the following example. A billing employee receives and opens an e-mail containing protected health information about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected e-mail, and then deletes it. The billing employee unintentionally accessed protected health information to which he was not authorized to have access. However, the billing employee’s use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.

In contrast, a receptionist at a covered entity who is not authorized to access protected health information decides to look through patient files in order to learn of a friend’s treatment. In this case, the impermissible access to protected health information would not fall within this exception to breach because such access was neither unintentional, done in good faith, nor within the scope of authority.

The second regulatory exception, at paragraph (2)(ii) of this definition, covers inadvertent disclosures and generally mirrors the exception provided in § 13400(1)(B)(ii) and (iii) of the Act, with slight modifications. The statute excepts from the definition of “breach” inadvertent disclosures from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility if the information is not further used or disclosed without authorization. We have modified the statutory language slightly to except from breach inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates. Organized health care arrangement is defined by the HIPAA Rules to mean, among other things, a clinically integrated care setting in which individuals typically receive health care from more than one health care provider. See 45 CFR 160.103. This includes, for example, a covered entity, such as a hospital, and the health care providers who have staff privileges at the hospital.

We received several comments with respect to this exception, and many commenters asked that we clarify and explain the statutory language regarding what it means to be a “similarly situated individual” and what constitutes the “same facility” for purposes of this exception. We believe that a “similarly situated individual,” for purposes of the statute, means an individual who is authorized to access protected health information, and thus, for clarity, we have substituted this language for the statutory language in the regulation. Thus, a person who is authorized to access protected health information is similarly situated, for purposes of this regulation, to another person at the covered entity, business associate of the covered entity, or organized health care arrangement in which the covered entity participates, who is also authorized to access protected health information (even if the two persons may not be authorized to access the same types of protected health information). For example, a physician who has authority to use or disclose protected health information at a hospital by virtue of participating in an organized health care arrangement with the hospital is similarly situated to a nurse or billing employee at the hospital. In contrast, the physician is not similarly situated to an employee at the hospital who is not authorized to access protected health information.

Additionally, we have interpreted “same facility” to mean the same covered entity, business associate, or organized health care arrangement in which the covered entity participates and have substituted this language in the regulation. By focusing on the legal entity or status of the entities as an organized health care arrangement when interpreting “same facility,” we believe we have more clearly captured the intent of the statute and have also alleviated commenter concerns that the term “facility” was too narrow. Therefore, the size of the covered entity, business associate, or organized health care arrangement will dictate the scope of this exception. If a covered entity has a single location, then the exception will apply to disclosures between a workforce member and, e.g., a physician with staff privileges at that single location. However, if a covered entity has multiple locations across the country, the same exception will apply even if the workforce member makes the disclosure to a physician with staff privileges at a facility located in another state.

We interpret the statutory limitation that the information not be “further acquired, accessed, used, or disclosed without authorization” as meaning that the information is not further used or disclosed in a manner not permitted by the Privacy Rule. Thus, this exception encompasses circumstances in which a person who is authorized to use or disclose protected health information within a covered entity, business associate, or organized health care arrangement inadvertently discloses that information to another person who is authorized to use or disclose protected health information within the same covered entity, business associate, or organized health care arrangement, as long as the recipient does not further use or disclose the information in violation of the Privacy Rule.

The final regulatory exception to breach at paragraph (2)(iii) of this definition mirrors the exception found in § 13400(1)(A) of the Act. The statute excepts from the definition of “breach” situations in which the unauthorized person to whom protected health information has been disclosed would not reasonably have been able to retain the information. We have slightly modified this language to except from “breach” situations where a covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure of protected health information was made would not reasonably have been able to retain the information.

For example, a covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals. A few of the EOBs are returned by the post office, unopened, as undeliverable. In these circumstances, the covered entity can conclude that the improper addressees could not reasonably have retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.

As another example, a nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and recovers the protected health information from the patient. If the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, then this would not constitute a breach.

With respect to any of the three exceptions discussed above, a covered entity or business associate has the burden of proof, pursuant to § 164.414(b) (discussed below), for showing why breach notification was not required. Accordingly, the covered entity or business associate must document why the impermissible use or disclosure falls under one of the above exceptions.

Based on the above, we envision that covered entities and business associates will need to do the following to determine whether a breach occurred. First, the covered entity or business associate must determine whether there has been an impermissible use or disclosure of protected health information under the Privacy Rule. Second, the covered entity or business associate must determine, and document, whether the impermissible use or disclosure compromises the security or privacy of the protected health information. This occurs when there is a significant risk of financial, reputational, or other harm to the individual. Lastly, the covered entity or business associate may need to determine whether the incident falls under one of the exceptions in paragraph (2) of the breach definition.

We treat the breach as having occurred at the time of the impermissible use or disclosure (or in the case of the exceptions listed at paragraphs (2)(i) and (ii) of the definition of “breach,” at the time of the “further” impermissible use or disclosure), but recognize that a covered entity or business associate may require a reasonable amount of time to confirm whether the incident qualifies as a breach. As discussed below, a breach is considered discovered when the incident becomes known, not when the covered entity or business associate concludes the above analysis of whether the facts constitute a breach.

 

 

 
Subscribe to
HIPAA E-Alerts

Sign up to receive HIPAA Privacy & Security E-Alerts
Subscribe to HIPAA E-Alerts

Archived HIPAA E-Alerts
 

Highlights


Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.
 

 

Copyright 2005-2010, Bricker & Eckler LLP, all rights reserved.  Please read our Privacy Notice.
The words Bricker & Eckler and its logo are registered trademarks of Bricker & Eckler LLP. DISCLAIMER