Privacy Officer's Roundtable

PHI on internal workforce intranet

  • 1.  PHI on internal workforce intranet

    Posted 06-20-2020 09:21 PM
    Edited by Benjamin Hutchins 06-20-2020 10:01 PM
    Scenario - workforce member posts a report containing PHI on an internal workforce intranet page.  The page is only accessible to internal workforce members, but it is accessible to all workforce members.  Is this at its core a HIPAA Security violation at the time of posting or when the wrong workforce members access and view it?

    ------------------------------
    Benjamin Hutchins
    Business Intelligence Analyst
    Spectrum Health System
    Grand Rapids,MI
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: PHI on internal workforce intranet

    Posted 06-21-2020 09:54 AM
    I saw this posted in another group as well.

    Remember, the HIPAA Security Rule only deals with administrative, physical and technical safeguards for ePHI. The HIPAA Privacy Rule, on the other hand applies to PHI in ALL formats (e.g., electronic, paper and verbal). So when you are dealing with ePHI you need to think beyond the Security Rule.

    45 CFR 164.530(c) for example of the Privacy Rule requires covered entities to have safeguards in place to prevent the unauthorized disclosure of PHI. I wouldn't think having the ability the post PHI on the Intranet is a reasonable safeguard. Is that a violation? Do your loproco. If you're confident no one in the organization saw the post then it's a low probability the PHI was compromised. Document the incident and come up with a fix.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: PHI on internal workforce intranet

    Posted 06-21-2020 06:16 PM
    Thanks, Brenda. This is helpful.  With the workforce having the ability to post PHI to the entire workforce, education is going to be key to mitigate it. If workforce members deliberately post PHI on our intranet, and after investigation the risk assessment is determined loproco, this is defined as a low risk HIPAA violation, but not a breach, correct?

    ------------------------------
    Benjamin Hutchins
    Business Intelligence Analyst
    Spectrum Health System
    Grand Rapids,MI
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: PHI on internal workforce intranet

    Posted 06-22-2020 06:40 AM
    I left out 1 important thing from my prior post. Take a look at the breach rule. This is an impermissible disclosure because certainly PHI isn't meant to disclosed to the entire workforce. Then go to the exceptions. If this was intentional / deliberate as you state, I would say the exceptions don't apply. Then go to loproco. A low probability of compromise would not be considered a breach by definition.

    HIPAA § 164.402 Definitions.

    As used in this subpart, the following terms have the following meanings:

    Breach

    means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

    (1) Breach excludes:

    (i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

    (ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

    (iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

    (2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

    (i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

    (ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

    (iii) Whether the protected health information was actually acquired or viewed; and

    (iv) The extent to which the risk to the protected health information has been mitigated.

    Unsecured Protected Health Information

    means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L. 111-5.



    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: PHI on internal workforce intranet

    Posted 06-22-2020 02:02 PM
    I'd say it depends on whether the workforce members would otherwise be authorized to receive the PHI, which might be an incidental disclosure.

    If the posting is possibly accessible to all members, including those who don't need to know the PHI and otherwise wouldn't ever need to know it, then I'd say there is an impermissible use (use since it's internal).  You'd have to try to determine if anyone viewed the PHI and then do the LoProCo accordingly.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    2020 SCCE Membership