• Security Incidents: How to Manage Your Risk (Part II)
  • December 2, 2011
  • Law Firm: Hall Booth Smith Slover P.C. - Atlanta Office
  • At first glance, this seems to require notification for each use or disclosure that is inconsistent with HIPAA.  However, notification is only needed where the breach is of “unsecured” PHI.  This means only the disclosure of PHI that was not encrypted is subject to the notification requirements.  Unfortunately, most smaller providers are not utilizing encryption methodologies in their transmissions of PHI. Therefore, when they have a security incident, they must move on to the next part of the analysis.

    Additionally, notification is only required when the disclosure meets the definition of a “breach” of PHI.  The Office of Civil Rights (OCR), the enforcement agency that drafted the regulations, recognized that there was no need for notification in every instance of improper use or disclosure.  OCR noted that failing to include a harm threshold would diminish the impact of notifications received by individuals.  If a threshold was not included individuals might be flooded with notifications for breaches that pose no threat to the security or privacy of their protected health information or, alternatively, may cause unwarranted panic in individuals, and the expenditure of undue costs and other resources by individuals in remedial action.  Thus, a harm threshold was included within the definition of “breach.”

    “Breach” means the acquisition, access, use, or disclosure of protected health information in a manner not permitted by the Privacy Rule which compromises the security or privacy of the protected health information. 45 CFR 164.402 (2011).  For purposes of this definition, “compromises the security or privacy of the protected health information” means “poses a significant risk of financial, reputational, or other harm to the individual.” 45 CFR 164.402.  Accordingly, in order to determine if an impermissible use or disclosure of protected health information constitutes a breach, covered entities and business associates must perform a “risk assessment” to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. 74 FR 42740, 42744.