Confidentiality, Privacy and Security

Can you have an "unreportable" breach?

  • 1.  Can you have an "unreportable" breach?

    Posted 07-08-2020 05:39
    This is a very good question and one I think is worth considering under the idea of compare and contrast.

    So that we are consistent in our understanding of "unreportable" breach, unreportable breach means a breach where the breach notifications (to the individual or the Secretary, for example) are not required by the HIPAA regulations.

    For those curious, the answer is yes.  I find that these unreportable breaches often involve USB devices and then a rise in these types of unreportable breaches seemed to occur when ransomware started hitting covered entity data repositories containing ePHI.

    I do find that these types of breaches don't occur very often, unfortunately.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------


  • 2.  RE: Can you have an "unreportable" breach?

    Posted 07-08-2020 09:51
    It's dangerous to "bucketize" potential breaches to determine if they are reportable or not. HIPAA is very clean on what constitutes a reportable breach and what doesn't. We always need to do a risk assessment to determine if it is a breach. See the guideline below.

    An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

    1.    The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

    2.    The unauthorized person who used the protected health information or to whom the disclosure was made;

    3.    Whether the protected health information was actually acquired or viewed; and

    4.    The extent to which the risk to the protected health information has been mitigated.

    See 45 CFR §§ 164.400-41 

    --
    Thanks Kris

    Kris Lundell MBA,  CIPP/US, CiPT, CHP, CHPS, HCISPP, CISSP
    Privacy and Security Consultants LLC





  • 3.  RE: Can you have an "unreportable" breach?

    Posted 07-08-2020 10:10
    Thanks for sharing...some comments to compare and contrast.

    We always need to do a risk assessment to determine if it is a breach. See the guideline below.
    Not necessarily.  If one identifies an impermissible access, acquisition, use, or disclosure, and given that anytime you have one of these "impermissibles" it is presumed you have a breach.  Now, you do have the option of doing a risk assessment and seeing through the four factor analysis if your assessment concludes a breach or not or you can move forward and do the notifications without doing a risk assessment given the presumption of a breach.

    Hope this helps clarify.

    Where I am going is that there are some breaches that occur where notification is not required.


    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 4.  RE: Can you have an "unreportable" breach?

    Posted 07-08-2020 14:55
    I just received an email from someone if I would go into detail about what are the options that are available following an impermissible disclosure with respect to the breach notification rules.

    I have a little video snippet I recorded some time ago...which I can post that may be helpful if anyone is interested.  Just let me know.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------