Healthcare: Significant Risk Assessment: What Constitutes a Breach Under HITECH?
Over the past several years, Congress has taken steps to protect patient information in the rapidly-changing digital age. Most health care providers have transitioned from using paper files to sophisticated computer programs to keep records. Just as computer files make life easier for those using them, they also present a significant risk due to the large amount of data stored in one small location. Accordingly, Congress has begun to implement ways of dealing with this shift in technology.
In efforts to adapt to the "digital age," the Breach Notification Rule was implemented into the Health Information Technology for Economic and Clinical Health Act (HITECH). Under the Breach Notification Rule, covered entities must provide notification following a breach of unsecured protected health information. As a preliminary matter in adapting to the Breach Notification Rule, covered entities must develop a better understanding of what constitutes a "breach."
A breach is defined as "an impermissible use or disclosure . . . that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual." Although this definition provides some guidance, when does a disclosure pose a significant risk of financial, reputational, or other harm to the individual?
The Breach Notification Rule Preamble provides some guidance for when an impermissible use or disclosure rises to the level of a breach. When an impermissible use or disclosure takes place, the covered entity needs to perform a risk assessment to determine if there is "significant risk" to the individual. The risk assessment should look to whom the information was disclosed and whether the information was returned prior to any access for improper use. The covered entity should also investigate what type of information was released. If, for example, the only disclosures were the name of a patient and whether that patient received services from a hospital, such a disclosure may not be considered a significant risk of financial or reputational harm. However, if the disclosure also includes what types of services were performed, or a social security number, the likelihood of a significant risk to the individual increases.
Finally, the Preamble to the Breach Notification Rule provides an opportunity for a covered entity to mitigate the harm of a disclosure before it becomes a breach. If the covered entity makes immediate efforts to ensure that the information will be destroyed, then the covered entity may have avoided a significant risk.
As more breaches are reported, a better understanding on what constitutes significant risk will develop. In the mean time, covered entities will have to use discretion on their risk assessment process. Advancements in technology provide a multitude of benefits in the health care community, but they also give rise to issues such as the Breach Notification Rule. Once the definition of breach is more clearly defined, covered entities will be able to better adapt to protecting against breaches. Until then, the risk assessment process will be an integral part of compliance with HITECH.
The author Ben Perrine may be contacted at firstname.lastname@example.org