The concept of breach vs. disclosure under HIPAA

Section 160.103 of the HIPAA Privacy Rule defines a disclosure as the release, transfer, provision of access to, or divulging of PHI outside the entity holding the information. These can occur with or without patient authorization, depending on whether the purpose aligns with HIPAA-permitted uses like treatment, payment, or healthcare operations. 

On the other hand, the Privacy Rule defines a breach as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted i.e. not classified as a disclosure. According to a study published in Intelligent Automation & Soft Computing, “The health industry was hit with 536 of the 2216 breaches [in 2018]. This means that, as compared to other industries, the health industry has experienced the most data breaches.” A breach is presumed unless the covered entity or business associate demonstrates a low probability that PHI was compromised based on a risk assessment.

How a disclosure becomes a breach

A disclosure of PHI crosses into the territory of a breach when it involves the unauthorized acquisition, access, use, or disclosure of PHI in a way not permitted by the Privacy Rule. It includes instances where PHI is accessed or disclosed without proper authorization like when an employee inadvertently shares PHI with third parties outside the organization or the data is stolen. In these cases, a breach is presumed unless the covered entity or business associate demonstrates a low probability that PHI was compromised based on a risk assessment. 

How to securely disclose ePHI

1. The first step is to select a secure communication option to share PHI. HIPAA compliant email offers convenience and security especially when top-rated platforms like Paubox are selected. 
2. Establish a business associate agreement (BAA) with any email provider selected. This should outline the specifics of the relationship and how they will handle PHI. 
3. Restrict access to PHI by allowing only authorized personnel to view or send sensitive information. 
4. Perform periodic audits of the email system and practices to identify and address potential vulnerabilities. 
5. Train staff on secure email practices including recognizing phishing attempts and proper handling of PHI. 
   
   

Handling a data breach

The first priority is to contain the breach by isolating affected systems and preserving evidence for investigation. A thorough risk assessment must be followed to evaluate the extent of the compromised PHI and determine whether it was accessed or viewed by unauthorized individuals. Affected individuals must be notified within 60 days, as required by the HIPAA Breach Notification Rule along with the Department of Health and Human Services (HHS) and other authorities. Organizations should also communicate transparently with stakeholders including employees and the media while conducting a detailed investigation to identify the breach’s cause. 

Related: How to respond to a data breach

FAQs

When should the media be notified of a breach?

The media should be notified of a breach when it involves the unsecured PHI of more than 500 individuals. 

Why are penalties issued when a healthcare organization experiences a breach?

Penalties are issued to hold organizations accountable for failing to protect patient information adequately. 

What are corrective measures?

Corrective measures are actions taken by an organization to address the causes of a breach and implement changes that prevent future incidents.