Breach of Confidentiality
A breach is generally an impermissible use or disclosure that compromises the security and privacy of Private Health Information. An impermissible use of unsecured PHI is presumed to be a breach unless the Hybrid Entity demonstrates that there is a low probability that the PHI has been compromised. When a breach occurs, the Breach Notification Rule requires notification to affected individuals, the Secretary of Human and Health Services, and in some cases, the media.
Entities must notify when there is a loss of information, theft, or certain other impermissible uses, in particular, health care providers must promptly notify HHS if there is any breach that affects more than 500 or more individuals, and they must notify the media if the breach affects more than 500 residence of a state or jurisdiction. If the breach affects fewer than 500 individuals, the Entity must notify HHS no later than 60 days after the end of the calendar year in which the breach occurred.
- Significant breaches are investigated and penalties may be imposed. Breaches of more than 500 patients are publicly reported.
- If a risk assessment demonstrates there is a low probability that the use or disclosure compromised unsecured PHI, then breach notification is not necessary. (Please note that this breach-related risk assessment is different from the periodic risk analysis required by the Security Rule).
What is a Breach of Confidentiality?
All workforce members have a duty to protect confidential information. Breach of this duty includes the following:
- Accessing confidential information, in any form, without a "need to know" to perform assigned duties. Workforce members are prohibited from accessing their own records and records of family members, relatives and others, unless access is necessary to perform assigned duties.
- Assisting an unauthorized user to gain access to secured information
- Leaving confidential information unattended in a non-secure area
- Disclosing confidential information without proper authorization
- Discussing confidential information in the presence of individuals who do not have the "need to know' to perform assigned duties
- Improper disposal of confidential information
- Disclosing that a patient or employee is receiving care (except for authorized directory purposes)
- Transferring confidential information in any form without both parties having a need to know
Individuals who breach confidentiality are subject to corrective action up to and
including termination of employment. In addition, civil and criminal penalties can
be assessed under HIPAA for PHI violations.