You might think that the answer to that question is relatively straightforward but, like most things HIPAA, you would be wrong. To answer that question you need to apply a three step analytical framework contained within the Rules but not presented in a manner readily understood even by most compliance officers. In this article we will "demystify" the framework but don't get lulled into a false sense of "OK I got this" because the real world application of the framework is far more challenging than what it looks like "in the lab."
In other words figuring out whether the Privacy Rule
has been violated is not as easy or predictable as one might think. It essentially requires you to "walk through" the general rules located in Section 164.502
in order to arrive at an answer. The same holds true for the second part of question one (i.e. whether or not PHI is "unsecured"). Before you can answer this question you need to know a couple of things: (1) whether or not encryption has been enabled for the PHI in question and what "state" the PHI was in at the time that it was allegedly compromised. The next flowchart depicts this process:
As you can tell, we have not even answered the first question and the complexity has increased significantly from what appeared to be a relatively straightforward question. If the answer to the first question is "Yes" then we know two things: (1) the Privacy Rule has been violated and therefore there is a potential that notification will be triggered; and (2) the Breach Notification safe harbor does not apply because the PHI in question has not been rendered "unusable, unreadable, or indecipherable."
In order to determine if Breach Notification has in fact been triggered then we need to move on to the next question in the framework: "Whether one of the exceptions
to the definition of Breach
applies?" In order to make this determination you will need to compare the facts in the alleged Breach that you are investigating to the facts contained in the three exceptions. In essence you are being asked to compare your facts against three hypothetical factual scenarios. If your facts fits ones of the scenarios then you just won the Breach Notification lotto, because there is no Breach by definition
If however, you have not won the Breach Notification lotto then you need to proceed to the third and final question of the analytical framework: "Whether there is a low probability that the PHI in question was compromised?" Here you have several difficulties to overcome: (1) first when you reach this step in the framework there is a presumption of a breach by law; (2) the covered entity has (as one would expect) the burden of overcoming the presumption. In short, you better be able to prove a compelling reason why your organization has determined that there is a low probability that the PHI was compromised. Good luck with that!
There's really nothing to it right? Wrong! Well at least with respect to the "close cases." If you are not sure then seek the advice of counsel. You are well advised to be cautious, prudent and have any decision you make well documented! It goes without saying, if the Breach is large enough you can expect an audit, a class action lawsuit, fines from HHS and, of course, millions dollars of notification costs. It's not going to be a good day.