No one likes to dwell on PHI being mishandled or inappropriately accessed, but it is important to have a plan if the situation does occur. Incidents can involve the PHI of thousands of individuals or even just one.
You can be altered to them in a number of ways.
You may discover it yourself through a process like reviewing access logs, or it may be reported by a patient or customer. Regardless of the size or how you came to be altered, all incidents must be investigated to determine if a breach occurred. It is important to keep in mind that every incident is not always a breach, but every breach at one time was an incident before it was confirmed.
When an incident is alerted it should always be documented. Be certain to capture information such as the reporter’s information, date and time of the alert, and how the incident was identified.
The next step is to investigate the incident to determine if indeed a breach occurred.
An investigation is necessary to determine the probability that PHI was compromised. A standard analysis is used which considers four factors,
The nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification;
The unauthorized person to whom the disclosure was made;
Whether the PHI was actually acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.
If it can be determined through this analysis that there is a low probability that the PHI has been compromised, then there is no breach.
However, if such a low probability cannot be determined, it is appropriate to determine that a breach has occurred. Again, the analysis like the initial report should be thoroughly documented. Finally, the determination of whether a breach occurred or not should be tediously documented. As there is no universal arbiter, you become the primary authority in determining whether a breach occurred.
In closing, while all incidents are not necessarily breaches, all incidents must be investigated and the investigation and subsequent determination must be well documented.
Failure to do so could lead to not reporting a breach when otherwise appropriate or over-reporting when an incident is not actually a breach.