I am a covered health care provider subject to the Health Insurance Portability and Accountability Act (HIPAA). I recently heard there is a new rule about when we have to report if an employee accesses a patient’s medical record in violation of HIPAA. I know that I am supposed to report breaches of my patient’s protected health information, but how am I supposed to determine whether or not a breach has occurred?


Under Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA), are required to notify individuals when their unsecured protected health information (PHI) is breached. Unsecured PHI is defined as PHI that is not secured through the use of a technology or methodology specified by the U.S. Department of Health and Human Services (HHS) Secretary.

To answer your question, Section 13400(1) of the HITECH Act defines a breach as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of such information. For example, if an unencrypted laptop computer containing the PHI of your patients was stolen, that would likely constitute a reportable breach of PHI.

In an interim final rule, the HHS further defined the phrase “compromises the security or privacy of protected health information” to mean, “poses a significant risk of financial, reputational or other harm to the individual.” Under the interim rule’s “harm standard,” to determine whether a breach of PHI had occurred, the covered entity was required to focus on whether or not the unauthorized acquisition, access, use, or disclosure of PHI harmed the individual whose PHI had been acquired, accessed, used or disclosed.

The final rule, which went into effect on March 26, 2013, rejected the “harm standard” and instead established a presumption that acquisition, access, use, or disclosure of PHI in a manner not otherwise permitted by HIPAA is a breach, unless the covered entity can demonstrate that there is a “low probability” that PHI has been compromised based on a multi-factor risk assessment. This assessment requires the consideration of at least the following four factors:

(1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(2) The unauthorized person who used the protected health information or to whom the disclosure was made;

(3) Whether the protected health information was actually acquired or viewed; and

(4) The extent to which the risk to the protected health information has been mitigated.

For example, if a covered entity mistakenly sends a lab report or other PHI to a patient’s brother with the same last name as the patient, determining if this is a reportable breach would likely depend upon the relationship between the patient and his brother, and whether the patient’s brother actually viewed any of the patient’s PHI.

When using this factor test to decide whether there is a low or high probability that a patient’s PHI has been compromised, please keep in mind that the relative weight of each factor has yet to be determined by the courts and will likely vary on a case-by-case basis.
– – – – – – – – – – – – – – – – – – – – – – – – – –
Back to Menu- Work Place Law 2013 Articles