When a Privacy Breach Is Not a Breach
Language is important when talking about noncompliance with HIPAA, says Michelle Garvey Brennfleck, JD, shareholder with Buchanan Ingersoll & Rooney in Pittsburgh. Not every instance of noncompliance is a breach, she notes.
“If I’m counseling a client healthcare organization regarding a potential HIPAA violation, I might refer to it as an ‘issue,’ an ‘incident,’ or ‘event.’ Even ‘incident’ sometimes carries with it some weight that we might not want to encourage at the beginning of an investigation,” Brennfleck says. “Be very mindful of language — both verbally and especially in writing — that you can’t take back. You might establish that an incident or an event was not, in fact, a HIPAA breach, and presented a low probability of compromise of that protected health information [PHI].”
Not every unauthorized use or disclosure of PHI necessitates notification, notes Jody Erdfarb, JD, partner with Wiggin and Dana in Stamford, CT. For example, if the information is encrypted and the encryption key is not compromised, that is not considered information that triggers the breach notification rule.
Erdfarb recalls one incident in which a farmer in a neighboring town went to a nearby hospice to return a medical record he found in his field, complete with tractor tire marks. He recognized the name of the facility because his wife had been there. The facility determined that a nurse had put materials on top of her car earlier and some papers had blown away. The farmer assured hospice administrators that he had not looked at any information on the document other than the facility name at the top of the page.
“If that’s your situation and you’re able to get information from the person reporting the breach that it hasn’t been impermissibly disclosed by a person who could retain that information, then that’s an exception to the breach notification rule,” Erdfarb says. “You have that person sign a statement saying that they didn’t retain any of the information, and you don’t have to make the disclosures under HIPAA in most circumstances.”
Language is important when talking about noncompliance with HIPAA. Not every instance of noncompliance is a breach.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.