According to the HIPAA privacy regulations, a “covered entity” (as defined by HIPAA) is required to notify an individual and the Secretary of DHHS “following the discovery of a breach of unsecured protected health information [PHI]. . . .”.
A DME company (that bills electronically) is a “covered entity.” The term “breach” has been defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.” Id. at § 164.402. Further, any unpermitted use or disclosure of PHI “is presumed to be a breach unless the covered entity . . . demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment . . . .” Id.
The risk assessment must include an evaluation of at least the following four factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. Id.
The comments accompanying the Final Rule implementing the regulatory language above provide some guidance related to the types of “situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification.” 78 FR 5566, 5642 (January 25, 2013).
In these comments, the Office of Civil Rights (“OCR”) provides the example of a covered entity misdirecting a fax containing PHI to the wrong physician practice, and the recipient physician calling the covered entity to say the PHI was sent to the wrong place and has been destroyed. Id.
While the OCR states that this scenario does not fit any of the breach exceptions, it is the type of scenario the OCR thinks that a covered entity will likely be able to demonstrate has yielded a low risk of compromised PHI after performing an assessment of the relevant factors.
Assume that instead of accidentally faxing PHI to the wrong physician, the covered entity accidentally faxes the PHI to a private residence. The first required factor for analyzing the risk of whether the PHI has been compromised is the nature and extent of the PHI involved.
Assume that the PHI disclosed consists of the patient’s name, address, date of birth, and diagnoses. A financial fraud is unlikely to result from disclosure of this information if there is no credit card, bank account, or social security numbers involved.
With the disclosure of the patient’s name and diagnoses, there is some detailed clinical information involved, but it is unlikely that anything disclosed will increase the probability that this information will be used in a manner adverse to the patient or to further the unauthorized recipient’s own interests.
The second factor that must be considered is the recipient of the PHI. Assume that the recipient is an individual living in a private residence. It is relevant that the recipient is not another HIPAA covered individual or entity with obligations to protect the privacy and security of the information. It is further unlikely that the recipient has a particular motive or ability to use the misdirected PHI in a manner adverse to the patient or to further the unauthorized recipient’s own interests.
The third factor that must be considered is whether the impermissibly disclosed PHI was actually viewed or, alternatively, if only the opportunity existed for the information to be viewed.
The final required factor for consideration is the extent to which the risk of the PHI being compromised has been mitigated. The OCR highlighted mitigating steps such as “obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed . . . .” Id. at 5643.
addition to evaluating the mitigating steps themselves, the covered entity should also consider the extent and efficacy of the mitigation. The analysis performed under the second factor may assist when determining the probable efficacy of mitigating steps. For instance, a covered entity may be more justified in relying on assurances from a recipient that is affiliated with or known by the covered entity, while such assurances from certain third parties may not be sufficient.
Assume that the recipient of the misdirected PHI informs the covered entity that the PHI was destroyed. Assume further that the recipient proactively called the covered entity to relay information about the misdirected fax transmission as opposed to the covered entity discovering the issue and reaching out to the recipient.
While the recipient is a third party not affiliated with or known to the covered entity, the risk of the PHI being compromised is significantly reduced by the fact that the recipient voluntary informed the covered entity of the disclosure and provided a verbal assurance that the PHI was destroyed. Nevertheless, it would be wise for the covered entity to make contact with the recipient and document the recipient’s assurance that the PHI was destroyed.
Based on the above analysis, the covered entity should make contact with the recipient of the PHI to document and assess the recipient’s assurance that (1) the PHI will not be further used or disclosed, and (2) the PHI has been destroyed. If, after making contact with the recipient, the covered entity concludes and can document that the recipient has given reasonable and credible assurances related to points 1 and 2 above, it would be reasonable to conclude that there is a low probability that the security and privacy of the PHI has been compromised.
May 12th, 2013