This was a very good question and a thorough analysis.What I think it shows is that all 4 of the factors are important and that how you answered was based on experiences and thought process. There are positives and negatives with each factor. I answered as factor 2, not based on the "can't determine" aspect, but the other end--if you could show it was not acquired or viewed. We had a case where the PHI was mailed to the right recipient, but at an old address. When the organization who was expecting it called and said they didn't have it yet, we started the breach process and determined a breach. Two weeks later, the package was returned to us marked to the effect of 'recipient no longer at this address, no forwarding address'. The outer envelope and the inner envelope were both intact. This led us to look at the whole analysis and it changed the outcome. It was not viewed or acquired, and this had an impact on the other factors.All of the factors are important and each one should not be looked at in total isolation from the others. The proper answer is probably 'all of the above factors are important'.
I was one of he 28% that answered Factor 3 and just as Lloyd stated, it is from experience. Impermissible disclosures or other types of impermissibles revealed to an entity that is obligated to protect the data can have a large impact on the determination of a breach.
I agree that all four factors are important and impactful. Hence, the reason we have all four to consider. Certainly it can be argued that if the data was secured or otherwise meets the exceptions in place in the regulations, then Factor #1 could be rated as the most impactful. There are certainly scenarios that would make each Factor the most impactful in that particular situation.
Great question and analysis. Thanks Frank!
Scot Lovejoy RPh. CHC CHPC
Chief Pharmacy Officer
9 Campus Drive, Suite 200
Parisippany, N.J. 07054
(O) 973-540-8400 x227
Confidentiality Notice: This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure. If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system. Thank you.
No copyright infringement intended.