webinarsbreadcrumb separatorhipaa-ecommerce-guidelines-and-resources-part-11-hipaa-breach-notification-rule

Chris Reddick (President and CEO at Clarity Ventures) and Ron Halversen (Vice-President of Sales and Marketing at Clarity) explain the HIPAA Breach Notification Rule and the steps you should take if your ePHI is compromised.

Part 11 of a 13-part series (Return to Part 10)

RON: Let's go ahead and move over and we'll talk about the HIPAA Breach Notification Rule. That was one of the other things—and that I think in 2021 was issue number five—and that could be a failure to notify patients if their data has been breached. 

what is hipaa

RON: I remember we [personally] got a notification—I don't know how many years ago, it was ten years ago—and I think Target got hacked and the credit card information [leaked]. They were violating what now we now know as PCI DSS compliance. They were actually storing credit card numbers. And I don't remember how many million credit cards, but it was like a $210 million fine. 
 
We were notified that our credit card information was compromised. So we had to cancel that credit card and then get another credit card, because we got a notification that Target leaked our credit card information. We didn't want to have to deal with that, but we were properly notified.  

So let's go ahead and move on to reach notification and talk about what the Breach Notification Rule is, what does it mean to our listeners, what do they need to do to comply and how does this affect them? 

what is hipaa

CHRIS: This is pretty interesting. The definition of breach is shown here, highlighted on the screen. Generally speaking, it's “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI.” And it's broken into some of these different concepts or areas. “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification.” 
 
We talk about this ID and de-identification in some of our other videos. The unauthorized person who uses the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed—so did they have access to it? And then did they actually acquire it, like physically get permanent access or view it? And the extent to which the risk to the PHI has been mitigated. 

So this is the definition of HIPAA breach. They go into some exceptions about what a breach isn't. The first applies to unintentional acquisition access or use of PHI by a workforce member or person acting under the authority of a covered entity or the business associate (learn the definition of a business associate). If that acquisition, access, or use was made in good faith and within the scope of authority.

In other words, if someone is a radiation technician and they're doing some work on you, Ron. And they have permission to access patient records, they accidentally mistype your name and they pull up somebody else's records because they have permission, but they are not going to do anything with it, and they were technically authorized in their role. That's basically considered a good-faith breach. So it was a breach, but we're sort of saying like, let's not worry about it.  

The second exception applies to the “inadvertent disclosure of PHI data by a person authorized to access at a covered entity to another person authorized to access that information, either at that covered entity or another healthcare group in arrangement with the covered entity parties which the covered entity participates.” So in other words, a partner company. Maybe it's a lab or something like that. “In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rules.” Or like, “Hey, if that happens and it's an accident, just stop. Don't pass Go, and everything's fine.” 

what is hipaa

CHRIS: The final exception applies “if the covered entity or business associate has made a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.” (What are business associates? Find out at that link). Now, this is sort of like the big catch-all. I mean, think about this. This is really a lot of what you see with some of the new guidance that came out on telehealth. 
 
RON: So it was interesting, because you just mentioned this, I think in a previous video. I remember you saying something like the OCR just put out a new ruling that with telehealth, the iPhone FaceTime and on the Android's Google Duo are now acceptable forms of telehealth platforms because they don't record the call. So it's okay for a doctor and a patient to be on FaceTime talking with a doctor and have a telehealth session. Because what it's saying here, the information that is going could not really be retained because it's not being recorded.  

So with Duo and FaceTime, they're typically not recorded. There's no issue or no ability to go in there and easily record that, they don't record by default, and it doesn't store that data. So there's really not going to be a persistent breach of that data. It just allows the doctor to share the information with a covered entity and vice versa. But it's not going to be retained. Whereas with Zoom, I know I use Zoom on most of my demos every day, and we constantly record those and send the information and the demos to our clients, and the presumption that Zoom is going to record is there. 
 
So if you use Zoom for telehealth sessions, then that could be in violation. So you would have to ensure that you're using a HIPAA-compliant app version of Zoom, not a regular version of Zoom. Otherwise you could be in violation of HIPAA. 

So yeah, there's a lot of weird edge cases, and where this one is going to apply is not only inter-, it's intra-, when you're talking about the covered entities. For example, let's say I've got type-2 diabetes and I'm talking to my doctor in his office about my care. Well, that's one thing, and that's easy to control that within an office, right? So it'd be between me, my doctor, maybe the PA, maybe a nurse, maybe whoever is taking my blood. 
 
But then all of a sudden, if he says, “I need to refer you to a hematologist and specialist,” now all of a sudden we're bringing in another entity. So if my doctor calls that entity to have a conversation with them, he's on the phone with someone telling them about my care. And it ends up being someone at that office that isn't supposed to have access to that data, but they took the call because the doctor was out of the office...that's where one of these breaches can happen.  

That was the second exception there, where it's an inadvertent disclosure of information to someone who they thought should have authority access but didn't. So the doctor may not be held accountable, because it may fall under that second exception when they were like, “Hey, I called to share information as a referral for my patient and I asked you if you can take that information and you said, ‘yes,’” the implication was that you're authorized to take that information and you were not. 
 
That would be under the second exception here. So it's definitely a gray area, and I would assume that that's where some of those breaches are. You were just talking about Zoom a minute ago. Do you want to extend any more information? I think I covered it briefly, but was there anything else about or any of the telehealth sessions that you wanted to finish out? 
 
CHRIS: Well, I think it's a nice analogy to ePHI data in general. A lot of times the data is going to be on a database or physically on a web server, or maybe even on mobile devices because of a mobile app. And some of the data ends up getting stored because of caching or development practices. And you really want to think about this because, by definition of breach, they're talking about in number one, basically the nature and extent of PHI and whether or not identifiers are there, and can somebody acquire or view that data, and did they or not?  

We sort of get into that in some of the breach reporting. But did they or not review that? That becomes the question. But if it was possible, then there's sort of this assumption that has to be made that somebody could have taken that data and used it for a non-innocent use case, a non-good faith use case. Which, if you click on the breach reporting page and we go take a look at that and just go through some of these concepts, I think it would be great if you were just to go over the highlighted sections here, and just sort of outline what this is and how it works with how you're supposed to report breaches. 

Continue to Part 12 to learn about self-reporting HIPAA violations.

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps