Incident Investigation: PHI Mishandeling

by Adam Bullian | Jun 12, 2018 | PHI Security


No one likes to dwell on PHI being mishandled or inappropriately accessed, but it is important to have a plan if the situation does occur. Incidents can involve the PHI of thousands of individuals or even just one.

You can be altered to them in a number of ways.

You may discover it yourself through a process like reviewing access logs, or it may be reported by a patient or customer. Regardless of the size or how you came to be altered, all incidents must be investigated to determine if a breach occurred. It is important to keep in mind that every incident is not always a breach, but every breach at one time was an incident before it was confirmed.

When an incident is alerted it should always be documented. Be certain to capture information such as the reporter’s information, date and time of the alert, and how the incident was identified.

The next step is to investigate the incident to determine if indeed a breach occurred.

An investigation is necessary to determine the probability that PHI was compromised. A standard analysis is used which considers four factors,

  • The nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification;

  • The unauthorized person to whom the disclosure was made;

  • Whether the PHI was actually acquired or viewed; and

  • The extent to which the risk to the PHI has been mitigated.

If it can be determined through this analysis that there is a low probability that the PHI has been compromised, then there is no breach.

However, if such a low probability cannot be determined, it is appropriate to determine that a breach has occurred. Again, the analysis like the initial report should be thoroughly documented. Finally, the determination of whether a breach occurred or not should be tediously documented. As there is no universal arbiter, you become the primary authority in determining whether a breach occurred.

In closing, while all incidents are not necessarily breaches, all incidents must be investigated and the investigation and subsequent determination must be well documented.

Failure to do so could lead to not reporting a breach when otherwise appropriate or over-reporting when an incident is not actually a breach.

Compliance and security are complex, but they don't have to be hard to comprehend. Check out our resources page for more educational ebooks, presentations, infographics, and more!

View All Resources

Our resources are compiled by our experts here at QI Express. With backgrounds in information technology consultation, IT systems design, audits, law, and patient-facing clinical roles, our team is able to leverage a unique scope of experience to deliver the most comprehensive educational material possible.