We recently hosted representatives from the Office of Civil Rights (“OCR”) in both Dayton and Cincinnati. During their visits, they provided attendees insight into the forthcoming HIPAA audits as well as shed some light on what the OCR expects to see when it comes to investigating data breaches. We will be writing a series of blogs on various HIPAA topics in the coming months. And, with the rece nt rash of high profile data breaches, we decided to start with a quick primer of the basics of data breach under HIPAA. The HIPAA Breach Notification Rule (45 C.F.R. §164.414) requires covered entities and business associates to implement policies and procedure to address the timely reporting of breaches. Oh sure, “data breach is data breach,” you might say. But, as with any data breach, you first have to determine if you even have a “breach,” at least as defined by the law. HIPAA is no different.
So, let’s start with what a data breach is under HIPAA. Generally, a “breach” is an impermissible use or disclosure under the HIPAA Privacy Rule (“Privacy Rule”) that compromises the security or privacy of the PHI (“PHI”). Any impermissible use or disclosure of PHI is presumed to be a breach and requires some form of notice to be given unless the covered entity or business associate involved demonstrates that there is “a low probability that the PHI has been compromised.” The OCR has branded this low probability as “LoProCo.” It is also important to note that this breach rule applies to “unsecured PHI,” meaning PHI that has not been encrypted or otherwise rendered de-identified.
A breach is presumed to have occurred, unless the covered entity or business associate can make a LoProCo assessment by providing a risk assessment, which accounts for the following factors:
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the PHI has been compromised. As with any law, you might expect some exceptions to what is defined as a “breach” and whether notice is required.
Again, this is just a primer on the basics of data breach under HIPAA. As always, each situation is different, and the time is now to review how your organization is prepared to assess and address a data breach. In truth, this process never stops, it just evolves. As we have said many times before, it is not IF you have a breach or incident, but WHEN. In our next blog, we will discuss the notice requirements pertaining to a breach under HIPAA.