Health Information Compliance Alert

Published on Wed Oct 06, 2021 PDF

Question: An employee at our lab accessed records without a legitimate reason. He didn’t tell anyone about any of the information he accessed. Is this still a reportable breach incident, even though the information didn’t leave our lab?

Ohio Subscriber

Answer: To determine the answer, you must go back to the definition of a breach, which is any acquisition, access, use or disclosure in violation of the HIPAA Privacy Rule, says Jim Sheldon-Dean, founder and director of compliance for Lewis Creek Systems LLC in Charlotte, Vermont.

In this situation, “somebody looked at the information who wasn’t supposed to look at the information,” Sheldon-Dean notes. That would be an “access” or a “use” of the patient’s data.

Reminder: But in the HIPAA Privacy Rule, “minimum necessary” requirements dictate that an employee should access only the information that is needed to perform the tasks in their jobs. A person accessing information that they should not violates the minimum necessary requirements, Sheldon-Dean explains. “So that would be a reportable breach even though the information didn’t leave your facility — it was a breach within your facility.”