notifying patients of PHI breach

Before the HIPAA Omnibus Rule went into effect last year, the standard for determining whether or not patients needed to be notified in the event of a breach of Protected Health Information (PHI) was pretty subjective.  If, for instance, a computer with PHI  of 3000+ patients was stolen from a small practice, it was the responsibility of the practice’s Privacy Officer to assess whether the theft was likely to result in harm to any patient’s reputation or bank account. If the answer was “yes,” then the breach had to be reported and the patients notified.

The trouble with that standard was that it was difficult — if not impossible — to assess on an individual-by-individual basis what kind of risk a patient might be subject to. A small-town pastor testing positive for an STD would surely suffer a battered reputation if that information became public, while a local teacher with a newly-diagnosed allergy to gluten probably wouldn’t care who found out.

The “harm standard,” as it was termed, was too subjective and ambiguous to provide effective guidance on the circumstances that call for patients to be notified of a PHI breach.  Provisions in the Omnibus Rule are meant to fix that.

The new standard every practice needs to know

HIPAA’s Omnibus Rule replaces the “harm standard” with one that’s based on the “risk of compromise.” This means that any impermissible use or disclosure of PHI is presumed to be a breach, unless you’re able to demonstrate, through a risk assessment, that there’s very little likelihood the breached information will be compromised.

Four important factors to consider

 The HIPAA Omnibus Rule provides four specific factors to consider when trying to figure out if you really do need to notify patients about a PHI breach. When a breach happens, ask and assess:

  1. To whom the information was impermissibly disclosed
  2. Whether the information was actually viewed or accessed
  3. The potential ability of the recipient to identify the subjects of the data
  4. The extent to which the risk to the PHI has been mitigated

“What do I tell them?”

Odds are, if there’s been a breach, you’ll need to let your patients know. In an upcoming post, I’ll talk about what to include in the “Notification of Breach” letter you’d be required to send under HIPAA regulations.

Only you can prevent PHI breaches

Every safeguard you put in place in your practice to protect patient information lessens the chances for a PHI breach. When it comes to HIPAA compliance, it’s better to be proactive than reactive. And by doing your part to protect PHI, you’ll also be protecting the trust your patients have placed in you.

Photo courtesy of tsutatsuta