Policy 23: HIPAA Compliance Officer Action Plan: Breach Analysis Steps
| Step 1: Was there an acquisition, access, use or disclosure of PHI that was created, received, maintained, or transmitted by PRO? The HIPAA Compliance Officer shall determine whether PHI was actually involved in the incident, keeping in mind that PHI only includes individually identifiable information that relates to an individual’s healthcare or payment for healthcare. | YES
Go to Step 2 |
NO
There has been no breach of unsecured PHI and breach notification is unnecessary. |
||||||||||
| Step 2: Was the PHI involved in the incident “unsecured?” PHI involved in an incident will be considered to be “unsecured” when it is in electronic form and it is not encrypted in accordance with PRO’s “Policy on Encryption and Decryption of e-PHI.” | YES
Go to Step 3 |
NO
If the HIPAA Compliance Officer determines that the PHI involved in the incident was secured in accordance with PRO’s policies on securing hard copy and electronic PHI, then there has been no breach of unsecured PHI and breach notification is unnecessary. |
||||||||||
| Step 3: Was there a HIPAA violation? The HIPAA Compliance Officer must make a determination that there was a violation of the HIPAA Privacy Rule. The incident must involve a use or disclosure that is not permitted by HIPAA.
|
YES
Go to Step 4 |
NO
There has been no breach of unsecured PHI and breach notification is unnecessary. |
||||||||||
| Step 4: Did the incident compromise the security or privacy of the PHI involved? To determine whether the incident compromised the security or privacy of the PHI that was potentially breached, the HIPAA Compliance Officer must look to the 4-factors outlined below:
|
Yes
Go to Step 5 |
NO
There has been no breach of unsecured PHI and breach notification is unnecessary.
|
||||||||||
| Step Five: Does a breach exception apply? The HIPAA Compliance Officer must also determine whether one of the breach exceptions outlined in the Breach Notification Rule applies to the incident. If so, there is no reportable breach. The three breach exceptions are:
· Unintentional Access, Acquisition or Use of PHI. The incident involved unintentional access, acquisition or use of PHI by a workforce member of PRO or someone acting under the authority of PRO. The unintentional incident must: (1) be made in good faith; (2) made within the scope of employment; and (3) not result in further improper use or disclosure of PHI.
· Inadvertent Disclosure to an Authorized Party. Inadvertent disclosure between parties at PRO who are authorized to access PHI is not a breach if the PHI is not further used or disclosed in violation of HIPAA. “Authorized to access PHI” means that the two parties involved in the incident are authorized to access PHI in general – not necessarily that they are authorized to access the same type of PHI.
· Disclosure Where Retention Was Not Possible. If the HIPAA Compliance Officer can demonstrate that an unauthorized recipient of the improperly disclosed PHI would not reasonably have been able to retain the PHI, this breach exception applies. |
Yes
PRO does not have to make breach notification. |
NO
PRO must make breach notification in accordance with PRO’s “Policy on Breaches of Unsecured Protected Health Information.”
|