Confidentiality, Privacy and Security

breaches and exposures 101--Please help!!!

  • 1.  breaches and exposures 101--Please help!!!

    Posted 09-26-2019 15:52

    Hello -

    I began working as the compliance officer for a clinic system.  I just started a few months ago, and found the organization has no software, no forms, no letter templates.  The coding auditing piece is not new to me, but the role as the privacy/security officer is.  I have several questions following a situation where a staff member mail a patient the wrong information.  The wrong patient brought in the paperwork, and it was placed in the shred bin.  Here are my questions:

    1.  Is this a breach?  In Section 164.404, it reads as though low probability that protected health information has been compromised based on the fact that the person returned the document, and we have coached the responsible staff person accordingly.

    2.  Do I have to do a risk assessment on every small, even incidental disclosure?

    3.  If so, what do I use?   I tried to use the HHS form I saw folks mention, but it asks for organization specific detail and doesn't allow you to assess the breach.  Does anyone have a form?  

    4.  Does a breach of this nature require a communication to the patient?

    I'm sorry for so many questions, but want to make sure I understand



    ------------------------------
    Sarah Jackson
    Compliance Manager
    ------------------------------


  • 2.  RE: breaches and exposures 101--Please help!!!

    Posted 09-27-2019 07:22
    Hi, Sarah.   I would consider it a breach and process it as such.  From my perspective, it another individual receives the PHI of a patient it is an unauthorized disclosure and very difficult to mitigate.   So for this reason, notification to the patient and the OCR would be required (at least in my opinion).

    What might make me consider mitigating the risk is if the "other individual" is a healthcare provider, a member of a healthcare provider's staff, or some type of other covered entity or trusted resource that you would feel 100% confident that the information was not subject to further disclosure....     I have worked in large and small settings and I never want to take the chance that a patient is informed of our breach by someone in the community (e.g., by the way, my mother got a copy of your ER bill in the mail last week...).

    I log everything and I complete a risk assessment - some are much more complicated than others.  Here is why:  1) it is good record-keeping and provides documentation long after you have forgotten the details; 2) it demonstrates ongoing HIPAA compliance and good due diligence should there be an investigation by an external governmental agency; and 3) it provides a reference point for other key individuals who may have to act on my behalf.

    I would recommend you check out HIPAACOW.org.  This is a non-profit group out of Wisconsin that has an abundance of free resources - webinars, policies, education, tools that may help you in this new role.  Check out the deliverables, especially for breach response.

    ------------------------------
    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center
    ------------------------------



  • 3.  RE: breaches and exposures 101--Please help!!!

    Posted 09-27-2019 09:11
    Hi Sara, 

    1) You need to do a risk assessment before you can determine if it is a risk or not. The risk assessment consists of the following questions (see the following URL for additional guidance https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
    1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
    2. The unauthorized person who used the protected health information or to whom the disclosure was made;
    3. Whether the protected health information was actually acquired or viewed; and
    4. The extent to which the risk to the protected health information has been mitigated
    Once you have answered these questions you will know for sure if its a breach and how to proceed. 

    2) Yes you have to do a risk assessment on every small and large incident. AND you need to keep that documentation of the assessment and the outcome of that assessment in the event that your audited. (Keep it for 6 years)

    3) Answered above

    4) If after answering the questions in #1 if you feel it is a breach you want to do the right thing and inform the patient. If PII was disclosed like SSN or other unique identifiers you will want to offer identity theft protection 

    You can email me directly if you want to discuss further. I'm happy to help.

    Kris.
    --
    Thanks Kris

    Kris Lundell MBA,  CIPP/US, CiPT, CHP, CHPS, HCISPP
    Privacy and Security Consultants LLC





  • 4.  RE: breaches and exposures 101--Please help!!!

    Posted 09-28-2019 18:24
    https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html

    ------------------------------
    Julie Zabriskie, MSHI, RHIA
    HIT Program Director
    Southwestern Michigan College
    ------------------------------



  • 5.  RE: breaches and exposures 101--Please help!!!

    Posted 09-27-2019 09:36
    Hi Sarah,

    These get complex fast and as you say there are many more questions to answer. Let's take this discussion over to email (kmclendon@complianceprosolutions.com).

    Here is a pass at the answers to your questions:

    Is this a breach?  In Section 164.404, it reads as though low probability that protected health information has been compromised based on the fact that the person returned the document, and we have coached the responsible staff person accordingly.  Kelly: Maybe it is and maybe not, it's for you to determine if it's a reportable breach or not due to a Low Probability of Compromise (LoProCo) determination. In this type of case in many cases it would not be considered reportable, it would be said to be LoProCo, as long as there were assurances the information was not retained and you thought hey wrong patient was trustworthy, etc. Be sure to well document those corrective actions as well.

    2.  Do I have to do a risk assessment on every small, even incidental disclosure?  Kelly: Not incidentals, such as someone over hearing some oral communications. Since those under the rule don't rise to the level of a potential breach they don't have to be analyzed as a breach.

    3.  If so, what do I use?   I tried to use the HHS form I saw folks mention, but it asks for organization specific detail and doesn't allow you to assess the breach.  Does anyone have a form?  Kelly: Yes I have one. 

    4.  Does a breach of this nature require a communication to the patient? Kelly: Not if it's not a reportable breach. a LoProCo breach is not reportable, so no patient notification.

    I'm sorry for so many questions, but want to make sure I understand. Kelly: Right it's a complex process and you need the correct forms at a minimum. I have copies for you. 



    ------------------------------
    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions
    kmclendon@complianceprosolutions.com
    321-268-0320
    ------------------------------



  • 6.  RE: breaches and exposures 101--Please help!!!

    Posted 09-27-2019 15:15

    Sarah,

    Great feedback to your questions so far!  Breach assessment is an interesting and, at times, complex topic. As a new privacy officer I understand how it can be confusing.  Below is my input.

    Is this a breach?  In Section 164.404, it reads as though low probability that protected health information has been compromised based on the fact that the person returned the document, and we have coached the responsible staff person accordingly.

    The four factor analysis ( listed nicely by Kris) will help determine if this is a breach.  Example,  a wrong statement is sent to a patient and the only PHI is the patient's name and address. The amount owed is on the bill but no identifiers of what services were provided.  The person returning the statement to you has provided assurances that this information will not be disclosed.  Conclusion:  I would consider this a low compromise of data and not a reportable breach.  On the other hand, if the document is a complete continuity of care document with diagnosis, meds, DOB, etc., I would consider it reportable (unless I have assurances that the recipient did not view or retain the information per the breach exception definition).

    2.  Do I have to do a risk assessment on every small, even incidental disclosure?

    I believe what you are referring to are impermissible disclosures and yes, I conduct a risk assessment on every one, large or small.

    3.  If so, what do I use?   I tried to use the HHS form I saw folks mention, but it asks for organization specific detail and doesn't allow you to assess the breach.  Does anyone have a form?

    I am currently using software but I see Kelly has a form to share.  It is important to have all the required elements for the risk assessment and what the OCR requires when reporting the breach to them. 

    4.  Does a breach of this nature require a communication to the patient?

    If your assessment determines no to low compromise, you do not need to report it to the patient or the OCR,
    And, yes, document each case well in case you ever need to defend your conclusions with the OCR.

    Another reference is the AHIMA Breach Notification Toolkit in the HIM Body of Knowledge.

    Good luck, Sarah, in your new role!



    ------------------------------
    Dana DeMasters, MN, RN, CHPS
    Privacy/Security Officer
    ------------------------------



  • 7.  RE: breaches and exposures 101--Please help!!!

    Posted 09-27-2019 16:03
    Hi Sarah,

    Welcome to the industry! Here's a couple of tools that I've gathered thus far.

    • HIPAA / HITECH Decision Tree to Determine Breach: 
    https://www.healthlawyers.org/events/programs/materials/documents/phy12/papers/s_callahanmorris_mcclorey_hipaa_decision_tree.pdf

    • Really get to know the Breach Notification Rule: 45 CFR @@ 164.400-414:
    https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html 
    • Also, the Privacy Rule at 45 CFR Part 160 and Subparts A and E of Part 164
    https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

    • And the Security Rule at 45 CFR Part 160 and Subparts A and C of Part 164.  
    https://www.hhs.gov/hipaa/for-professionals/security/index.html

    As previously mentioned in this thread, I've found HIPAA COW to be an invaluable resource (I am also from Wisconsin)! If you're anywhere close to Wisconsin, I'd highly recommend attending the spring and fall conferences. They are very reasonably priced for the amount of information that you can receive from them. Either way, their website has a lot of great educational materials and templates. HCCA is another great resource. And of course, I also learn something from AHIMA (particularly this engage group) almost every single day.

    I am also of the practice to log everything and complete a risk assessment for everything.
    • The log is a great resource, because you'll want to be able to look back on what you discussed / decided initially if additional information is obtained after the initial processing of an incident. The log also demonstrates consistency and precedence of past decision making. As mentioned, it also demonstrates HIPAA compliance for audits and references to your thought process and decision making for backup if you happen to be out of the office.
    • The risk assessment is important so you can demonstrate thorough consideration and speak to your reasoning if a decision is ever in question or audited. It also demonstrates  consistency and precedence of past decision making and can speak to why a decision was made with the amount of information you had at the time. This is particularly important if you're later presented with additional information. 

    Good Luck!

    ------------------------------
    Sarah Dietz
    HIM & Privacy Manager
    GHC-SCW
    ------------------------------



  • 8.  RE: breaches and exposures 101--Please help!!!

    Posted 09-27-2019 17:36
    Edited by Sarah Dietz 10-07-2019 13:09


  • 9.  RE: breaches and exposures 101--Please help!!!

    Posted 09-29-2019 16:23
    Hello Sarah,

    You first must prove low probability of compromise through a breach risk assessment. AHIMA has a Breach Notification Tool Kit that is very useful for operationalizing this type of process within your PS Program.

    Carlyn

    ---------------------------------
    Carlyn Doyle
    Compliance Engineer
    ---------------------------------