Accessing medical records constitutes a breach if it involves unauthorized access, use, or disclosure that compromises the security or privacy of PHI.
HHS guidance provides that, “ A breach, under the HIPAA Rules, is defined as, “…the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”.” Any instance where the security and privacy of protected health information (PHI) is compromised qualifies as a data breach.
Only those with a legitimate need to know, like healthcare providers involved in patient care, should access PHI. If an individual, even another provider, accesses this information without authorization to do so, it is a breach.
If access is not related to treatment, payment, or healthcare operations, it is likely unauthorized. The Minimum Necessary Standard sets the requirement for only the information necessary for a specific task to be accessed, anything beyond that is a breach.
If an individual accesses more information than necessary for their role i.e. the staff member has permission to access PHI in a case but accesses more information than necessary or outside of instances where access to PHI is required, a breach may have occurred.
While unauthorized access is a breach regardless of intent, understanding why the information was accessed (malicious or accidental) can determine the severity of the breach and the ensuing response.
Analyze whether or not there is a compromise of the privacy or security of PHI during the access. This includes instances where providers share PHI through secure methods like HIPAA compliant email but with unauthorized individuals. If it leads to the potential exposure of PHI or makes it accessible to third parties, it is a breach.
The case involving Dr. Eithan Haim is a clear example of how unauthorized access to medical records constitutes a breach under HIPAA. Dr. Haim allegedly obtained sensitive patient information from Texas Children’s Hospital under the false pretense of needing urgent access to adult patient records.
Despite having previously been authorized to access records only for patients under his care during his residency, he misrepresented his intentions to reactivate his access. The breach revealed how accessing medical records without proper authorization or legitimate purpose is a violation of HIPAA even when a provider previously had access to this information.
The standard under HIPAA requires healthcare organizations to limit the use, access, and sharing of PHI.
When someone views or retrieves PHI without proper permission.
Healthcare organizations must report a breach of unsecured PHI accessed, used, or disclosed.