What is Considered a HIPAA Breach?

A HIPAA breach refers to the capture, viewing, use or sharing of Private Health Information in a manner not adhering with the HIPAA ACT , which impacts the security or privacy of the PHI.

This is a very wide definition that might make you think that a glance at data could lead to a penalty being sanctioned against you.

HIPAA states that that following will not be considered a HIPAA breach:

  1. An unintentional breach (acquisition, access, or use only) of PHI which was taken in good faith and within the range of authority and does not lead to additional use or disclosure.
  2. Any inadvertent sharing by an individual who is permitted to view PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care set up in which the covered entity is included, and the data gathered due to such disclosure is not further used shared.
  3. Sharing PHI where a covered entity or business associate honestly believes that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such data.

Examples of HIPAA breaches include:

The only other exemption for a breach is if it can be shown that there is a low chance that the PHI has been impacted based on a risk assessment to which there are four factors: the possibility of re-identification/sort of identifiers, the unauthorized individual to whom the breach was made, whether the PHI was actually acquired or seen, and to what extent the risk to PHI has been addressed.

It is vital for HIPAA-governed organizations to do everything possible to stop HIPAA breaches occurring in order to avoid being subjected to debilitating monetary penalties. Covered entities must see to it that there are robust processes in place to prevent breaches taking place.