Attorney’s Role in Breach Analysis
An attorney’s role in any potential breach is to lead an assessment of the breach and to help clients determine whether to disclose a breach by applying the law to the factual investigation. Such an assessment is required for covered entities when a breach is suspected under Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, and under the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) and the corresponding regulations. As the company and experts review the potential breaches, the attorney should apply the law implicated by the facts. The appropriate law may not only be the federal law, but state law, as well. For example, the very stringent California Privacy Law which applies to breaches in California.
IF it is determined that there is a reportable breach, the attorney assists with the proper methods to make notification.
Any attorney chosen for this task should have experience and education in healthcare law. Some examples include a healthcare LLM, such as the one offered by Loyola Chicago’s Beazley Institute for Health Law and Policy. and designations in compliance, such as someone certified in Healthcare Compliance (CHC).
My background includes retention by several clients to help with such an assessment, a Masters of Law (LLM) in Healthcare Law from Chicago Loyola Law School and I am Certified in Healthcare Compliance (CHC). I help healthcare institutions comply with HIPAA and other federal and state regulations.
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.
The risk assessment requires the following investigation:
1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and,
4. The extent to which the risk to the protected health information has been mitigated.
The team must also complete an analysis on three potential exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Unsecured Protected Health Information and Guidance
Covered entities must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of specific technology or methodology.