Demonstrating that a breach of unsecured PHI did not occur…

Was PHI encrypted? Yes ___ = No breach occurred. Produce and maintain evidence of PHI encryption.

Was PHI encrypted?

No ___PHI was not encrypted. Let's go on with the Security Risk Assessment:

• Define “Breach of Unsecured PHI" under HIPAA: “Generally, Breach of Unsecured PHI is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

• Demonstrate low probability that the PHI has been compromised based on a risk assessment of at least those factors:

What is the nature of the PHI involved?

Response: ____________________________________________________________________ Patient data? (Patient demographic data__, patient financial data___, other__ specify: __________)

Extent of the PHI involved?

Response: ______________________________________________________________________

(Consider volume of information, depth of information, etc.…)

Types of identifiers involved?

Response: ______________________________________________________________________

(Patient’s name,___ DOB, ____, more, ____)

Likelihood of re-identification?

Response: ______________________________________________________________________

(Consider length of exposure, memory, etc.…)

Was the PHI viewed? Yes, ____, for how long was the PHI viewed? That will help reasonably determine the likelihood of remembering the identifiers: briefly? ____ (Few seconds), or No, ___: (low probability)

Few minutes, hours and more? ____

Was the PHI acquired? Yes, ____ , No,_______ (low probability)

Who is the unauthorized person?

Response: ___________________________

(The person is authorized with role-based access credentials? Jump down to Exceptions…

The unauthorized person is a closed relative: mother, father, sister, brother; or friend? Reasonably establish circumstances in which the PHI would have already been disclosed, or made known or available to them. Additionally, reasonably establish any involvement in care or payments, and/or legal authority to represent the patient. Did you establish all that? (Low probability)

Was the PHI used or disclosed? Yes ___ , No__ (low probability)

Describe the extent to which the risk to the PHI has been mitigated

_______________________________________________________________________

Was the PHI returned? Yes ____. (Low probability)

Was it destroyed thereafter? Yes ______. (Low probability) No ___ the risk to the PHI has not been mitigated. Keep going...

Could it be an exception to the definition of breach?

Let’s see…

First exception: It is an unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of _______covered entity name______ or _______business associate name________, made in good faith and within the scope of authority, and the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule._____

Second exception: It is an inadvertent disclosure of protected health information by a person authorized to access protected health information at _______covered entity name________ or ________business associate name_________ to another person authorized to access protected health information at _________covered entity name_______ or _________business associate name_________, or _________organized health care arrangement name__________ in which _______covered entity name_______ participates, and the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. ______

The final exception: _____________covered entity name_______ or _______business associate name______ has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information._______

Yes, it is at least one of the three exceptions: No breach occurred, end of risk assessment.

No, it was not an exception: Can you still substantiate Confidentiality (confidential processes or methods were in place)___, Integrity (PHI cannot be modified, altered, removed, or distributed) ____, and Availability (encrypted backups: online__, offline__, onsite__ or offsite__) ___ of the unsecured PHI presumably breached? Give it all you got: ________________________________________________________________________________________________________________________________________________________________________________________________________________________

Your name: ________________________, credential(s) (Preferably, RHIA, CHPS, JD, Esq., etc.…)

Title: ______________________ (Preferably, Chief Compliance Officer, Privacy Officer, Security Officer, etc.…)

Date: ___/____/_____

https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html