Example Scenario: The Investigation
First, the privacy officer should refer to the definition of
“breach.” A breach is the acquisition, access, use, or disclosure
of protected health information (PHI) in a way that compromised the security or privacy of the PHI.
Next, it’s time to review the incident. Does it meet any of
the breach exceptions outlined in the HIPAA Breach Notification Rule 45 CFR §§ 164.400-414?
2 Questions to ask
Was Janet’s access an unintentional acquisition, access,
or use of protected health information by a workforce
member or made in good faith and within the scope of
Was Janet’s access an inadvertent disclosure of protected
health information by a person authorized to access protected health information at a covered entity?
Does Hospital A have a good faith belief that Janet would
not have been able to retain the information?
In the above scenario, Janet’s actions do in fact constitute a breach. Her access compromised the privacy of
Molly’s PHI. In addition, the access was intentional; this
was in no way an inadvertent disclosure, and the information accessed was retained. Therefore, since the incident
is considered a breach, the privacy officer must develop a
After the Breach: How to Respond
While the process outlined above seems like relatively
straightforward decision-making, working in rural healthcare
settings brings forth unique challenges. The routine apology
and offering of credit protection may not be satisfactory or
appropriate, especially in a scenario like the one described
above. Unfortunately, there may be no sufficient resolution in
the patient’s eyes, but the facility must focus on prevention
Is terminating Janet after 20 years of loyal employment in
a difficult-to-recruit position the best solution? Employee
morale may suffer if a 20-year loyal employee is terminated
for being “curious.” There also might be backlash from the
local community at the sudden termination of an employee
that might be well known and respected in the community.
However, lack of corrective action may cause distrust among
employees and the community that the privacy of their health
records is not protected at Hospital A. There could also be
community backlash at the news that someone’s healthcare
privacy was violated without repercussions. Organization
reputation is a concern, as well as the related decrease in patient volume and associated revenue that could occur.
No facility wants to experience a breach. The impact of
such an occurrence—as well as the resolution—will be widespread, from the employee and patient to staff and community members. While termination of employment is one option, there are other options to consider as well. The privacy
officer should work with human resources or another leader
who can ensure corrective action is executed in a consistent
manner based on the violation. After the appropriate corrective action has been determined, it can be administered by
the employee’s manager. Even in the smallest of facilities,
the privacy officer should not be acting alone.
The repercussions of Janet’s access would be determined
by organizational policy. In this scenario, because Janet’s
inappropriate access of PHI was intentional, HIM professionals might expect her employment to be terminated. But
in rural facilities, this would not necessarily be the case. The
organization would also take into consideration prior disciplinary action and the impact to patient care and safety if a
position were to be left vacant—potentially for months when
recuritment is difficult.
When it comes to healthcare privacy and PHI, “curious cats”
should be warned—no matter how well-intentioned, curiosity is not an acceptable justification for a privacy breach. ¢
1. 3Lions Publishing, Inc. “HIPAA § 164.402 Definitions.”
HIPAA Survival Guide. www.hipaasurvivalguide.com/
2. Department of Health and Human Services Office for
Civil Rights. “Breach Notification Rule.” HHS.gov. July
26, 2013. www.hhs.gov/hipaa/for-professionals/breach-notification/ index.html.
Traci Waugh ( firstname.lastname@example.org) is director of outreach services and
compliance at Kalispell Regional Healthcare, based in northwest
When it comes to healthcare
privacy and PHI, “curious
cats” should be warned—
no matter how well-
intentioned, curiosity is not
an acceptable justification
for a privacy beach.