What are the four criteria used to make a determination if a breach occurred?

Evaluating incidents that affect protected health information (PHI) to determine if they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act.  On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. 

A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago which explains that in March 2020, the hospital discovered that between November 1, 2018 and February 29, 2020 an employee “may have accessed certain medical records without a work-related reason.”  The hospital also reported the incident to the Secretary of HHS which is posted on its Breach Portal and further reveales that over 4,824 patients’ electronic medical records were subject to “unauthorized access/disclosure” by the hospital employee.  The hospital’s reporting of the incident will also result in OCR investigating the matter, as is noted on HHS’ website (i.e., “This page lists all breaches reported within the last 24 months that are currently under investigation by the Office of Civil Rights”).  The hospital has since also been sued by the mother of a 3-year old child whose medical records were accessed by the hospital employee. That lawsuit is seeking class-action status to include other patients whose medical records were inappropriately accessed. Therefore, the stakes are high — and so covered entities should be aware and sensitive to the fact that reporting an incident to HHS that might actually not need to be reported under the standards set forth in HIPAA’s Breach Notification Rule could unnecessarily subject an organization to OCR’s review of not only the reported incident, but also its HIPAA compliance program in general. Additionally, notifying patients of incidents even when there is a “low probability that PHI has been compromised” could trigger unnecessary lawsuits.

Evaluating incidents like the one experienced by Lurie Children’s Hospital is always fact-sensitive and hinges on collecting as much information as possible to complete a thorough and accurate HIPAA Breach risk assessment.  A covered entity should also apply consistent methods to evaluate incidents and make determinations on whether breach reporting is required under HIPAA. The HIPAA Breach Assessment tool provided at the end of this article is one way a covered entity can attempt to standardize its approach to evaluating incidents and breaches under HIPAA. While such a tool should never be solely relied upon to reach a determination on how to respond to a potential HIPAA breach, it does introduce helpful structure and objectivity to what can otherwise be a precariously subjective and, at times, messy process. With that, let’s take a closer look at HIPAA’s specific standards and requirements for when a Breach must be reported.

When a covered entity discovers a breach of unsecured PHI, it must notify affected individuals, HHS and, in cases of breaches involving 500 or more residents of a single State, the media IF such PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. See 45 CFR 164.404(a); 164.406; & 164.408.  A “breach” is specifically defined in the Breach Notification Rule to mean, and is limited to:

     “the acquisition, access, use, or disclosure of [PHI] in a manner not  permitted under [the Privacy Rule] which compromises the security or privacy of the [PHI].”  See 45 C.F.R. 164.402.

Any acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule must be presumed to be a Breach UNLESS the covered entity can demonstrate that there is a “low probability that the PHI has been compromised” based on a risk assessment of at least the following factors:

• The Nature and Extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The Unauthorized Person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually Acquired or Viewed; and
• The extent to which the risk to the PHI has been Mitigated.

See 45 C.F.R. 164. 402(2).

A covered entity has the burden of demonstrating that the use or disclosure did not constitute a Breach as defined by the Breach Notification Rule. See 45 C.F.R. 164.414(b).  The covered entity must also maintain documentation sufficient to meet this burden of proof for six (6) years. See 45 C.F.R. 164.530(j).

Therefore, every covered entity that is evaluating an incident involving the unauthorized acquisition, access, use or disclosure of PHI should analyze the 4-Factors to determine whether sufficient evidence exists to demonstrate that there is a low probability that the PHI has been compromised.  Again, such analysis is inherently fact-sensitive and will require judgement.  In its Description and Commentary to the Final HITECH Omnibus Rule published in January 2013, HHS offered additional guidance on how to evaluate each of the 4-Factors, which is reprinted at the end of this Article.

So, if the 4-Factor analysis is applied to a situation where an employee accessed patient records in an unauthorized manner, what might the outcome be?  Using the scoring methodology in the HIPAA Breach Assessment tool, the following outcomes are possible:

 outcomes are possible:

Thus, in a case where an employee accesses PHI that is not sensitive or significant (i.e., no social security numbers or financial information), is cooperative and the situation is fully mitigated (i.e., employee signs a confidentiality agreement, as HHS suggests would be a mitigating factor, and there is no evidence that the PHI was misused or publicly released), then a covered entity might be able to demonstrate that the documented evidence supports a finding that there would be a “low probability that the PHI was compromised.” On the other hand, if the information accessed was sensitive, the employee is uncooperative, and the covered entity is not able to fully mitigate the situation, then the presumption of a breach would likely stand and notifications and reporting to individuals and HHS would be necessary.

Without knowing the specific details surrounding the employee incident which took place at Lurie Children’s Hospital of Chicago, it is impossible to know which specific factors might have tilted the hospital to decide to report their incident.  However, covered entities faced with similar situations should undertake a careful analysis of their facts against the 4-Factors, together with HHS’s 2013 Preamble commentary, and document the final determination and evidence supporting a final decision. Again, because breach incidents are so fact-sensitive and require judgement, the input of an attorney or other appropriate expert should also be sought before taking any final action one way or the other.  Additionally, the best “medicine” against employee snooping is providing regular and meaningful HIPAA training, including security reminders,  that targets exactly these types of  (unfortunately) all too-common behaviors that employees engage in because of a lack of understanding or appreciation of the boundaries for electronic PHI access when it is readily available through EMRs.  Lurie Childrens’ Hospital states in its website Notice that it has since implemented organization-wide re-training of its employees in response to the recent employee incidents. However, covered entities should be proactive and not reactive in order to avoid similar types of incidents from taking place at their organization.  Basic “HIPAA 101” type training is not as effective as training that targets the “Top 10” behaviors engaged in by employees that can lead to privacy and security incidents, and breaches.  For training resources, subscribe to Legal HIE Member-only content here. 

What are the 3 exception the definition of breach?

What is a four factor breach risk assessment?

What are the four conditions to be considered a HIPAA breach?

What are breach Notification Rule requirements?