Mandatory privacy breach reporting is law in all jurisdictions across North America. That means custodians of patient information, or covered entities, must notify the relevant authorities, and any individual whose information was lost or improperly disclosed if there is risk of harm.
Let’s examine how to assess risk of harm so that you can be sure if and when a breach needs to be reported. Your first step to assessing risk or harm is understand regulatory requirements. These rules are meant to ensure individuals can take measures to protect themselves in the event the confidentiality of their personal information is compromised. In the wrong hands, patient information can be used for identity theft which has potential to damage the patient financially through fraud and medically through contamination of their medical record. With that perspective as your lens, you must consider all factors to determine risk or harm.
Asking these questions will inform your investigation and help you decide if the breach must be reported:
- Is there reasonable basis to believe the information was accessed by or disclosed to an unauthorized person?
- Could the leaked information be used to commit fraud or harm? (Of course, any leaked information would require reporting)
- Is there a chance the information could cause embarrassment, physical, mental, or financial harm, or damage to the individual’s reputation?
- Could the breach adversely affect the delivery of healthcare for the patient (such as contaminated records)?
Answering yes to any of these questions would tell you the breach must be reported. This is not an exhaustive list of all factors to consider. For a more complete description of considerations, consult the regulations in your jurisdiction or contact us for assistance.
**There are some instances where a privacy breach may not need to be reported**
The regulations recognize that if information is secured against access, notice is not necessary as long as you can prove the information wasn’t accessed before it was recovered. In that case, the burden is on you to prove the information is and was inaccessible.
Information that is rendered unintelligible or completely deidentified can also be exempt from breach reporting. But again, burden of proof falls on you – which is difficult in the case of stolen hardware especially because you’re concerned with all future impact. Who the information was disclosed to also makes a difference. If you can demonstrate the improper recipient of the patient information was a person or organization subject to the same privacy rules you must follow, you’re likely not required to give notice. Similarly, if the person who received the information accessed the information only to determine their access was inappropriate and is taking reasonable steps to address the access, a breach may not need be reported.
What to do when breach reporting is required:
If a breach in your clinic must be reported, you have to notify the necessary authorities as well as any affected patients, whether it’s one or five thousand.
Once reported, you’ll need to cooperate with investigators to prove your poper privacy posture, show the steps taken to assess the breach, mitigate further risk, and what was done to notify all patients involved.
For clinics that subscribe to our privacy support services, we guide the process of reporting and review what needs to be reported in our next post.
Learn about Brightsquid Privacy Support Services HERE.