Determination – Is it a Breach?
In the event of a suspected breach caused by unauthorized access, or any other number of causes of a suspected breach, there are steps covered entities must take to determine if each incident is a breach.
Prior to the HIPAA Final Omnibus Rule, covered entities were required to determine risk of harm to affected individuals. Now, covered entities must determine if there was a risk of compromise to Protected Health Information (PHI). A covered entity must determine:
- The nature of the PHI involved;
- The unauthorized person who used or received the information;
- If PHI was actually acquired or viewed;
- How the risk to the information has been mitigated.
It’s important to note, these four factors must be considered in combination in determining the likelihood that PHI was inappropriately used or disclosed. And, making this determination can be a challenging process for entities.
Notification & Mitigation
Just as challenging for entities is ensuring proper notification to affected individuals, HHS, and in the event of a larger breach, notification to the media, is provided in a timely manner.
In addition, and perhaps two of the most important steps a covered entity must take, is to mitigate the risk of harm to the affected individuals; and to mitigate the risk of compromise to data.