Accessing medical records constitutes a breach if it involves unauthorized access, use, or disclosure that compromises the security or privacy of PHI.
What qualifies as a breach under HIPAA
HHS guidance provides that, “ A breach, under the HIPAA Rules, is defined as, “…the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”.” Any instance where the security and privacy of protected health information (PHI) is compromised qualifies as a data breach.
The criteria for determining whether access to medical records constitutes a breach
Access without proper authorization constitutes a breach
Only those with a legitimate need to know, like healthcare providers involved in patient care, should access PHI. If an individual, even another provider, accesses this information without authorization to do so, it is a breach.
Assess the purpose behind the access
If access is not related to treatment, payment, or healthcare operations, it is likely unauthorized. The Minimum Necessary Standard sets the requirement for only the information necessary for a specific task to be accessed, anything beyond that is a breach.
Evaluate the extent to which information was access
If an individual accesses more information than necessary for their role i.e. the staff member has permission to access PHI in a case but accesses more information than necessary or outside of instances where access to PHI is required, a breach may have occurred.
Consider if access was intentional or inadvertent
While unauthorized access is a breach regardless of intent, understanding why the information was accessed (malicious or accidental) can determine the severity of the breach and the ensuing response.
How does access to medical records impact privacy or security
Analyze whether or not there is a compromise of the privacy or security of PHI during the access. This includes instances where providers share PHI through secure methods like HIPAA compliant email but with unauthorized individuals. If it leads to the potential exposure of PHI or makes it accessible to third parties, it is a breach.
A practical example: Texas doctor illegally access patient records
The case involving Dr. Eithan Haim is a clear example of how unauthorized access to medical records constitutes a breach under HIPAA. Dr. Haim allegedly obtained sensitive patient information from Texas Children’s Hospital under the false pretense of needing urgent access to adult patient records.
Despite having previously been authorized to access records only for patients under his care during his residency, he misrepresented his intentions to reactivate his access. The breach revealed how accessing medical records without proper authorization or legitimate purpose is a violation of HIPAA even when a provider previously had access to this information.
FAQs
What is the minimum necessary standard?
The standard under HIPAA requires healthcare organizations to limit the use, access, and sharing of PHI.
What is unauthorized access?
When someone views or retrieves PHI without proper permission.
When does a healthcare organization have to report a breach?
Healthcare organizations must report a breach of unsecured PHI accessed, used, or disclosed.
Kirsten Peremore
