Pro Policy 1200.23

Policy 23:     HIPAA Compliance Officer Action Plan: Breach Analysis Steps

Step 1: Was there an acquisition, access, use or disclosure of PHI that was created, received, maintained, or transmitted by PRO? The HIPAA Compliance Officer shall determine whether PHI was actually involved in the incident, keeping in mind that PHI only includes individually identifiable information that relates to an individual’s healthcare or payment for healthcare. YES

 

Go to Step 2

NO

 

There has been no breach of unsecured PHI and breach notification is unnecessary.

Step 2: Was the PHI involved in the incident “unsecured?” PHI involved in an incident will be considered to be “unsecured” when it is in electronic form and it is not encrypted in accordance with PRO’s “Policy on Encryption and Decryption of e-PHI.” YES

 

Go to Step 3

NO

 

If the HIPAA Compliance Officer determines that the PHI involved in the incident was secured in accordance with PRO’s policies on securing hard copy and electronic PHI, then there has been no breach of unsecured PHI and breach notification is unnecessary.

Step 3: Was there a HIPAA violation? The HIPAA Compliance Officer must make a determination that there was a violation of the HIPAA Privacy Rule. The incident must involve a use or disclosure that is not permitted by HIPAA.

 

YES

 

Go to Step 4

NO

 

There has been no breach of unsecured PHI and breach notification is unnecessary.

Step 4: Did the incident compromise the security or privacy of the PHI involved? To determine whether the incident compromised the security or privacy of the PHI that was potentially breached, the HIPAA Compliance Officer must look to the 4-factors outlined below:

 

Factor

 

Explanation
1. The nature and extent of the PHI involved Consider the type and amount of PHI involved and whether the incident involved sensitive information. For example, credit card numbers, social security numbers, or other information that could be used for identity theft or financial fraud more likely compromises the security of information. The same is true for clinical information, especially detailed clinical information (e.g., treatment, medication, medical history information, etc.).
 

2. The person who used the PHI or to whom the disclosure was made

 

Consider whether the person who received the information has obligations to protect the information. For example, other covered entities are obligated to protect PHI that they receive in the same manner as PRO.

 

3. Whether the PHI was actually acquired or viewed

 

Determine whether the improperly disclosed PHI was returned before being accessed for an improper purpose.

4. The extent to which the risk to the PHI has been mitigated Consider whether immediate steps were taken to mitigate the potential harm from the improper use or disclosure of the PHI.
Yes

 

Go to Step 5

NO

 

There has been no breach of unsecured PHI and breach notification is unnecessary.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step Five: Does a breach exception apply? The HIPAA Compliance Officer must also determine whether one of the breach exceptions outlined in the Breach Notification Rule applies to the incident. If so, there is no reportable breach. The three breach exceptions are:

 

·         Unintentional Access, Acquisition or Use of PHI. The incident involved unintentional access, acquisition or use of PHI by a workforce member of PRO or someone acting under the authority of PRO. The unintentional incident must: (1) be made in good faith; (2) made within the scope of employment; and (3) not result in further improper use or disclosure of PHI.

 

·         Inadvertent Disclosure to an Authorized Party. Inadvertent disclosure between parties at PRO who are authorized to access PHI is not a breach if the PHI is not further used or disclosed in violation of HIPAA.  “Authorized to access PHI” means that the two parties involved in the incident are authorized to access PHI in general – not necessarily that they are authorized to access the same type of PHI.

 

·         Disclosure Where Retention Was Not Possible. If the HIPAA Compliance Officer can demonstrate that an unauthorized recipient of the improperly disclosed PHI would not reasonably have been able to retain the PHI, this breach exception applies.

Yes

 

PRO does not have to make breach notification.

NO

 

PRO must make breach notification in accordance with PRO’s “Policy on Breaches of Unsecured Protected Health Information.”