Performing a HIPAA risk assessment for a suspected breach.
By Paul J. Welk, JD, PT
Most private practice physical therapists, even those who devote only limited time and attention to current events surrounding the Health Insurance Portability and Accountability Act of 1996 (HIPAA), are aware of the risks associated with a breach of Protected Health Information (PHI) and the potential negative ramifications of the same. That being said, many of these individuals nonetheless believe they are “careful enough” that neither they nor their practice will ever need to assess a potential HIPAA breach. The purpose of this column is to illustrate that breaches do occur in private practice physical therapy offices with more frequency than practitioners might imagine and to review certain steps in the risk assessment process that are undertaken should an impermissible use or disclosure of PHI occur.
As a starting point, the HIPAA Breach Notification Rule requires a covered entity to provide notice to affected individuals following a breach of unsecured PHI. A breach is generally defined as an impermissible use or disclosure under the privacy rule that compromises the security or privacy of PHI.1 However, it is important to note that not every impermissible use or disclosure of PHI is a breach. When an impermissible use or disclosure occurs, a practice must perform a multiple-step risk assessment to determine whether there is a “low probability” that PHI has been compromised. An impermissible use or disclosure is presumed to be a breach unless the practice can demonstrate such “low probability” based on the risk assessment.
In completing the required risk assessment, the practice must assess various factors, including at least four that are specifically enumerated in the HIPAA Omnibus Final Rule.2 The first required factor to consider is the nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification. For example, when assessing this factor relative to clinical information, a physical therapy private practice would need to consider the specific type of information involved (e.g., diagnosis, medical history, imaging study results). More specifically, if the practice inadvertently disclosed a list of patient diagnosis and discharge dates only, the practice may ultimately determine that this specific factor weighs in favor of a finding of “low probability” that the PHI has been compromised. This determination may rely on the fact that the individuals could not be identified based on factors such as the specificity of the diagnosis and given the large size of the community served by the practice.
The second required factor is giving consideration to the unauthorized person who used the PHI or to whom the disclosure was made. For example, if PHI is impermissibly disclosed by a physical therapy practice to another covered entity obligated to comply with HIPAA, there may be a lower probability that the PHI has been compromised. This determination is due to the fact that the recipient is obligated to protect the privacy of the information in a manner similar to that of the private practice responsible for the impermissible disclosure. On the contrary, if the same information is disclosed to an employer of the affected individuals, the employer may be able to determine to which employee the information relates based on information already known to the employer. As seen by these two contrasting examples, the determination as to whether a breach has occurred requires a detailed fact-specific analysis.
The third required factor is whether the PHI was actually acquired or reviewed. For example, if a laptop computer containing PHI is stolen but it can be definitively shown through an analysis that the PHI was never accessed or otherwise compromised, the practice may determine that the information was not actually acquired. On the contrary, if an individual is inadvertently mailed the PHI of a second individual and notifies the practice of the receipt of the incorrect information, it is obvious that the information was in fact accessed and viewed.
The fourth required factor is the extent to which the risk to the PHI has been mitigated. There are multiple ways in which mitigation can occur. For example, a physical therapy practice may be able to obtain satisfactory written assurances from an unauthorized recipient that the information will not be further used and disclosed and will be either returned immediately to the covered entity or otherwise destroyed.
Although many readers assume they will never have to perform a risk assessment or be involved with an impermissible use or disclosure, that assumption may well not be the case. The author is aware of dozens of impermissible uses or disclosures by physical therapy private practices, some of which were determined to be a breach and others which were demonstrated to involve a “low probability” that the PHI was compromised. In these various incidents, factors that weighed in favor of a finding of low probability were, among others, a fax being sent to the incorrect health care provider (as contrasted with a fax to an unregulated individual or entity), the PHI disclosed consisting only of a patient name and telephone number (as contrasted with a complete medical record), a stolen laptop that was remotely wiped prior to access by a third party (as contrasted with a laptop that was unsecured), and the use of an affidavit signed by an unauthorized PHI recipient to demonstrate appropriate mitigation (as contrasted with a case in which the unauthorized recipient is never identified).
In summary, practices should be cautious not to jump to the conclusion that a breach has occurred in all cases of impermissible PHI disclosure, but rather should complete a risk assessment to determine if there is a low probability that the PHI was compromised. Although performing a risk assessment following a suspected breach of unsecured PHI may be a time-consuming endeavor, it is not only a regulatory obligation but an important step in determining whether a breach has occurred and what actions must subsequently be taken under HIPAA.
Please note that this article is not intended to, and does not, serve as legal advice to the reader but is for general information purposes only.
1. See www.hhs.gov/hipaa/for-professionals/breach-notification/index.html. Accessed July 4, 2016.
2. See www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Federal Register, Vol. 78, No. 17. Friday, January 25, 2013. Accessed July 4, 2016.
Paul J. Welk, PT, JD, is a Private Practice Section member and an attorney with Tucker Arensberg where he frequently advises physical therapy private practices in the areas of corporate and health care law. He can be reached at firstname.lastname@example.org.