By John H. Fisher II
April 3, 2018
Conducting HIPAA Breach Risk Assessments
The HIPAA rules relating to assessment of potential patient confidentiality breaches were changed in 2013. Specifically, on January 17, 2013, the Office of Civil Rights released new regulations defining when a HIPAA breach is deemed to occur. These regulations recast the steps that covered entities are required to take when they learn of potential HIPAA infractions.
The existence of these regulations is not particularly newsworthy in 2018. They have after all, been around since early 2013. What is significant about these regulations is that many providers have not updated their process for assessing potential breaches to bring them in line with the new regulations. Even where process has been updated, some individuals within the organization may not understand the process or the subtle but significant changes the 2013 regulations made.
Information-Focused Risk Assessment Process
Before I get into the weeds of HIPAA breach assessment, I want to point out the main change made in 2013. This is where many policies fall short and require updating. The change involved a refocus of the risk assessment from the potential negative impact on the patient whose information is the subject of the potential breach, to the risk of compromise to the information itself. A potential breach is not considered to be a breach if it is determined, through performance of a risk assessment, there is a low probability of compromise.
Previously, probability the patients would be damaged was the focus. This standard gave significant latitude to permit determinations that a breach did not exist. For example, let’s say a disc containing records from a knee examination are sent to a wrong address. Assuming the recipient has no idea who the subject of the information is and that no financial or information permitting identity theft is on the disc, it could be logical to conclude there is a low probability of compromise and no breach.
The same facts could result in a different result under the current, information-focused risk analysis as there would be a much greater likelihood of compromise of the information. A recipient at the wrong address could easily access the information and see that the patient has a really messed up knee. Every situation has its subtleties and I don’t want to automatically conclude that a breach exists under the current assessment standard. But the example highlights the possible shift in outcome applying the information-centric assessment.
Steps to Conduct a HIPAA Breach Assessment
HIPAA Violation vs. HIPAA Breach. A good point of departure for explaining the breach rules is to distinguish between a HIPAA violation and a HIPAA breach. Not every HIPAA violation amounts to a breach. At the same time, all breaches include a HIPAA infraction as a necessary element. At least from the perspective of HIPAA, no breach can exist if there has been no violation of HIPAA. If a use or disclosure is permitted under an applicable exception to the HIPAA privacy mandate, there can be no breach created by a release within the scope of that exception. There could still be penalties for the applicable violation. But the breach disclosure and notification rules would not apply if no “breach” resulted from the HIPAA violation.
Specific Exceptions to Breach. There are also three specific exceptions that result in an impermissible violation of HIPAA not considered to be a breach. Each of these three exceptions to breach have a variety of specific requirements. The three exceptions are broadly described as (i) unintentional acquisitions, access, or use, (ii) certain inadvertent disclosures, and (iii) disclosures where there is a good faith belief the party receiving the information would not be able to retain it. These situations might still violate HIPAA, but would not be considered “breaches.” Keep in mind when assessing the applicability of an exception the covered entity has the burden of proving that all elements of the exceptions being relied upon are met. The facts you rely upon and the reasonableness of your conclusions, with full cognizance that you carry the burden, should be well documented before you can rely on an exception to breach. If you are confident an exception is supported, document it carefully and completely.
Summarizing the First Two Assessment Steps. Considering the information provided in this article thus far, we can begin to see the first two steps applicable to assessing whether a HIPAA breach situation exists under a specific set of facts. Step one is to determine which violation of HIPAA Privacy or Security rules occurred. If no such violation occurred, there can be no breach. End of analysis.
The second step is to ascertain whether one of the three specific exceptions from breach is applicable. If an exception applies, there is no breach.
Now for a third step in the process. Encryption. This concept applies when the potential breach occurred with regards to protected health information that was in electronic form. Electronic information is normally the most susceptible to further compromise because it can be easily moved around the world and/or to a broad population. Electronic information that meets encryption standards is not subject to the same level of potential vulnerability. For this reason, if you can clearly establish the lost information was properly encrypted, no breach would have occurred. Let’s take for example patient files that are burned to CD. If the information or disc is properly encrypted, no breach occurs when or if the disc is lost or stolen. Encryption present. No Breach. Assessment over.
Breach Risk Assessment – Probability of Compromise. Assuming you have gone through the steps described above, your breach assessment is still active. You may still be looking at a potential breach situation. There is one more step to the analysis, and this step is the most difficult. Let’s call this the “low probability” step. This step derives from the changed definition of breach contained in the 2013 regulations. The regulations define a breach as an “acquisition, access, use, or disclosure” that “compromises the security or privacy” of the applicable protected health information.
As I pointed out earlier in this article, the “compromise” standard was one of the most significant changes made by the 2013 regulations. It is also the source of the most confusion. To review, before 2013, the focus was on the individual whose information was at issue. A breach only occurred if the acquisition, access, use, or disclosure posed significant risk of financial, reputational, or other harm to the individual. In 2013, the focus of this part of the analysis was shifted to the information, rather than the individual. The assessment now focuses on the overall probability of compromise to the protected health information. The end result is that more violations will now need to be treated as actual breaches.
The 2013 regulations established certain minimum requirements for assessing the probability of compromise. A formal risk assessment must be conducted and must include certain specific factors. Required factors include (i) the nature and extent of the protected health information that is involved, (ii) the types of identifiers included in the information, (iii) the likelihood the information might be re-identified, (iv) the identity and nature of the unauthorized recipient (or potential recipient) of the information, (v) whether any actual access was obtained to the information, and (vi) the extent to which potential compromise has been mitigated.
Each of these factors must be considered in the context of the impact on the risk of compromise to the information. For example, with respect to the nature of the information involved, specific patient care information or financial information might place the risk of compromise at a higher level. Financial information would seem to greatly enhance the vulnerability of the information because of the potential for exploitation. Consideration of the nature of information does not take place in a vacuum. Other available information might be used to re-identify individuals or increase risk of compromise and should be considered in conjunction with the nature of the lost information.
If the identity of the recipient is known, the nature and background of the recipient is also relevant. There are no black and white rules here, but it seems logical that if someone with convictions for identity theft receives the information a greater level of risk is present than if a health care worker with no negative background is the recipient, who promptly and voluntarily comes forward to report finding the information.
In the end, if you believe, based on supported facts there is a low risk of compromise identified as a result of a thorough risk assessment, you should still consider the standard of proof required to be met. The covered entity always carries the burden of proving the risk of compromise is low. In fact, the regulations fix a presumption that an impermissible acquisition, access, use, or disclosure is a breach unless the covered entity affirmatively overcomes the presumption by demonstrating there is a low probability that compromise took place. In effect, this presumption of breach removes some of the discretion that existed under the old regulations for covered entities to determine that no breach existed. With this in mind, it is critical that any determination you make that a breach does not exist must be supported by well documented and reliable facts, expert opinion, verifiable evidence, and well-reasoned analysis. Additionally, a thorough investigation report should be used to further support the diligence you took to reach your conclusion. If any doubt remains regarding the probability of compromise, it should be resolved in favor of treating a situation as a breach and complying with the breach notification rules.
Parting Words. I will leave you with one parting word of wisdom that has been acquired by handling a number of potential breaches. I have found that HIPAA issues often arise in the most unexpected ways. The same can be true of potential compromise situations. You may think you have examined and closed all the gaps that could result in compromise. But you should never lose sight of a central question. What happens if you are wrong? If the subject information is, in fact, compromised and used for nefarious reasons in the future, what you consider to be a fairly tight risk assessment today can take on a different light in the future. Clearly not all potential breaches require treatment as actual breaches. But if a compromise actually occurs, your assessment is going to appear incorrect, no matter how much reason went into it. This underlines the need for a complete, well supported, and reasonable assessment. This is not an area where shortcuts should be taken.
The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.
© 2021 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.