Was PHI encrypted? Yes ___ = No breach occurred. Produce and maintain evidence of PHI encryption.
Was PHI encrypted?
No ___PHI was not encrypted. Let's go on with the Security Risk Assessment:
Define “Breach of Unsecured PHI" under HIPAA: “Generally, Breach of Unsecured PHI is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
Demonstrate low probability that the PHI has been compromised based on a risk assessment of at least those factors:
What is the nature of the PHI involved?
Response: ____________________________________________________________________ Patient data? (Patient demographic data__, patient financial data___, other__ specify: __________)
Extent of the PHI involved?
Response: ______________________________________________________________________
(Consider volume of information, depth of information, etc.…)
Types of identifiers involved?
Response: ______________________________________________________________________
(Patient’s name,___ DOB, ____, more, ____)
Likelihood of re-identification?
Response: ______________________________________________________________________
(Consider length of exposure, memory, etc.…)
Was the PHI viewed? Yes, ____, for how long was the PHI viewed? That will help reasonably determine the likelihood of remembering the identifiers: briefly? ____ (Few seconds), or No, ___: (low probability)
Few minutes, hours and more? ____
Was the PHI acquired? Yes, ____ , No,_______ (low probability)
Who is the unauthorized person?
Response: ___________________________
(The person is authorized with role-based access credentials? Jump down to Exceptions…
The unauthorized person is a closed relative: mother, father, sister, brother; or friend? Reasonably establish circumstances in which the PHI would have already been disclosed, or made known or available to them. Additionally, reasonably establish any involvement in care or payments, and/or legal authority to represent the patient. Did you establish all that? (Low probability)
Was the PHI used or disclosed? Yes ___ , No__ (low probability)
Describe the extent to which the risk to the PHI has been mitigated
_______________________________________________________________________
Was the PHI returned? Yes ____. (Low probability)
Was it destroyed thereafter? Yes ______. (Low probability) No ___ the risk to the PHI has not been mitigated. Keep going...
Could it be an exception to the definition of breach?
Let’s see…
First exception: It is an unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of _______covered entity name______ or _______business associate name________, made in good faith and within the scope of authority, and the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule._____
Second exception: It is an inadvertent disclosure of protected health information by a person authorized to access protected health information at _______covered entity name________ or ________business associate name_________ to another person authorized to access protected health information at _________covered entity name_______ or _________business associate name_________, or _________organized health care arrangement name__________ in which _______covered entity name_______ participates, and the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. ______
The final exception: _____________covered entity name_______ or _______business associate name______ has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information._______
Yes, it is at least one of the three exceptions: No breach occurred, end of risk assessment.
No, it was not an exception: Can you still substantiate Confidentiality (confidential processes or methods were in place)___, Integrity (PHI cannot be modified, altered, removed, or distributed) ____, and Availability (encrypted backups: online__, offline__, onsite__ or offsite__) ___ of the unsecured PHI presumably breached? Give it all you got: ________________________________________________________________________________________________________________________________________________________________________________________________________________________
Your name: ________________________, credential(s) (Preferably, RHIA, CHPS, JD, Esq., etc.…)
Title: ______________________ (Preferably, Chief Compliance Officer, Privacy Officer, Security Officer, etc.…)
Date: ___/____/_____
Comentarios