CHPC Study Group

A slight correction...reporting breaches..and a Q!

  • 1.  A slight correction...reporting breaches..and a Q!

    Posted 19 days ago
    Some of us talked about this on a recent weekend class..and I think the time is right to make a slight adjustment to the statement I would use over the past few years to remind people about breaches and reporting.

    So in 2020 and beyond...the revised statement is:
    All breaches involving unsecured PHI are reportable.

    So now here's a brain buster question:
    Can you have a breach that is not reportable.

    This is also a nice question to practice the "opposite" strategy when taking the exam.  Hint.  Look at the revised statement...I think some of you who have listened to me explain the "opposite" strategy will see the answer right away.

    Good luck!

    ------------------------------
    -------------Frank Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    2020 CI Meet Up Sign Up: https://www.surveymonkey.com/r/26VLMS8
    ------------------------------
    Certification Disclaimer


  • 2.  RE: A slight correction...reporting breaches..and a Q!

    Posted 19 days ago
    Pretending I know nothing about HIPAA and breaches (which some may agree with after this) and just looking at the sentence "All breaches involving unsecured PHI are reportable" I would make the following logical, mathematical conclusion (which may or may not be true).

    If "All breaches involving unsecured PHI are reportable" that implies those breaches involving "secured PHI" are not reportable. They are still breaches, just not reportable. So if someone broke into your office and stole all of the laptops on your desks, but they were all heavily encrypted with no indication anywhere of what the credentials are to unlock the laptops, and you have a plethora of new laptops sitting on the shelf in a locked room that wasn't broken into, just waiting to be activated, you may have a breach of your facility, as someone broke in and stole your active laptops, but not a reportable breach as no unsecured PHI was on them, just secure PHI.

    Wow, that was a long winded answer. After all that I hope I'm right.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer


  • 3.  RE: A slight correction...reporting breaches..and a Q!

    Posted 19 days ago
    Carl, you posted what i came up with.  A lost or stolen laptop with encrypted PHI is a breach, but not reportable.  Effective encryption is like a 'Get Out of Jail Free' card in that you document it as an impermissible disclosure & breach, but don't have to tell HHS.​

    ------------------------------
    Lloyd Hemmert
    Compliance & Ethics Officer
    Hill Country MHDD Centers
    Kerrville,TX
    [lhemmert@hillcountry.org]
    ------------------------------

    Certification Disclaimer


  • 4.  RE: A slight correction...reporting breaches..and a Q!

    Posted 19 days ago
    Lloyd, now that's a good aspect I hadn't thought about. If it is an impermissible disclosure do you have to make a record of it so that if one of the individuals asks for an Accounting of Disclosures you have to include it?

    If the data is encrypted is it really a disclosure. Since a breach only involves unsecured PHI, and this PHI was secured such that no one who stole the laptops could ever read it, has it really been disclosed?

    Hmmmm. Like Frank says, lets have some compare and contrast comments from people on this one.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer


  • 5.  RE: A slight correction...reporting breaches..and a Q!

    Posted 19 days ago
    I follow the Privacy and HIPAA message groups just for general information, since I don't personally work on HIPAA matters anymore (we have specific staff assigned to that, but I like to keep sort of up-to-date).

    At first blush, using "opposite" it seems logical that breach of "secured" information would not be reportable.  However, I have to admit to some confusion, based on the definition of breach in the regs:

    Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

    Naive question, but wouldn't "secured" PHI not compromise security or privacy, and thus by definition breach would always be unsecured information?  In Lloyd's example, if the laptop is encrypted does that remove the compromise of security or privacy, and thus not be a breach?

    Thanks everyone, for all the C&C that goes on - I continue to learn much even at this (late) stage of my career.  Gotta keep those brain cells challenged :)

    ------------------------------
    Marie Wagner, CHC, CHRC
    Operations Manager, Corporate Compliance
    The Queen's Health Systems
    Honolulu, HI
    ------------------------------

    Certification Disclaimer


  • 6.  RE: A slight correction...reporting breaches..and a Q!

    Posted 18 days ago
    I agree with the statement that secured PHI may not be reportable.  However, the burden of proof is on the covered entity.  A lot of people hear "the laptop was encrypted" and dismiss the incident without going thru the motions to gather the data needed to prove the encryption was installed properly and meets the requirements.  Often times I see POA "power on authentication" not turned on which could expose anything on the hard drive.  Additionally, adding the safeguard that prevents users from storing anything on the hard drive will future support your decision that no data was available.

    I'm very interested in everyone's thoughts.  Studying for the CHPC and I could use all the help I can get.  Love participating in this group.

    ------------------------------
    DeAnn Tucker
    League City,TX
    ------------------------------

    Certification Disclaimer


  • 7.  RE: A slight correction...reporting breaches..and a Q!

    Posted 18 days ago
    I just want to throw out there...don't overthink things.  As Marie did when she referenced some of the definitions in Subpart D...a good start, in my opinion, is to make sure you are grounded somewhat or at least have a good grasp of the regulatory text, including the definitions.  The challenge for some is that they may be trying to put some of these ideas together but have not taken the steps to at least familiarize themselves with the regs.

    Also, to an observation that Marie brought up...I ask that people also look at the four factor analysis...which I think also provides a sound basis for determining that secured PHI, as it also relates to factor 2 and factor 4, would likely lead a LoProCo to the determination of not a breach.

    So if folks who are actually securing PHI using the methodology identified in OCR guidance, the breach notifications are not required.  In addition, let's imagine that for whatever reason, people overlooked this aspect of "secured PHI = no breach notifications required", they may also come to the conclusion of not a breach based on their LoProCo taking into account that the PHI was secured.

    Keep in mind that the LoProCo is going to take into account other factors as well...namely factors 1 and 3...which may also lead to the conclusion of not a breach.

    Good discussion....in my view...and thanks to all for sharing!

    ------------------------------
    -------------Frank Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    2020 CI Meet Up Sign Up: https://www.surveymonkey.com/r/26VLMS8
    ------------------------------

    Certification Disclaimer


  • 8.  RE: A slight correction...reporting breaches..and a Q!

    Posted 18 days ago
    Be careful here...I'm seeing tendencies that I also see when people take the exam...and as Carl said...C&C.

    An easy question to answer...look at the definition of disclosure...reads to me that whether or not the information is encrypted does not impact whether a disclosure occurred.  C&C...I have no issue with people that take an opposite view...in fact I welcome it.

    OK...now lets look at what is permissible to help us identify what is impermissible, using as we did the opposite approach from yesterday which can be very effective not only for the exam...but also in your role in explaining regs.

    Out of the blue...I'll just pick a disclosure where an authorization is required as our section for this example.  So on some level I think we can see that if I disclose PHI in a situation where an authorization is required, it would be permissible.  Therefore, if I disclose PHI in a situation where an authorized is required but there is no authorization...oops...now we are in the impermissible disclosure zone, so to speak.

    Now...do I have an issue with people who are saying that a disclosure of secured PHI means that it does not have to be accounted for...not at all..by all means...that's your call.  I'm simply saying that it is a path I would not follow.  For those who want to go into this even more...I ask for you to go to the section on the Accounting of Disclosures and look at the list of exceptions to what would be listed on the accounting...and here as well, I would not draw a conclusion or make an inference that secured PHI would be an exception...but your mileage may vary based on road conditions and your driving habits.

    Good discussion and by all means...let's hear from those what have different views...this way people have more insight to use to help drive their own decisions.

    Good work everyone!

    ------------------------------
    -------------Frank Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    2020 CI Meet Up Sign Up: https://www.surveymonkey.com/r/26VLMS8
    ------------------------------

    Certification Disclaimer