News & Media

Ask Our Lawyer: When Must a Data Breach be Reported?

Monday, November 7, 2022

QUESTION: My practice billing person recently missed some time due to an illness.  She was a few weeks behind in processing claims.  She took home a thumb drive loaded with patient records so that she could work on getting caught up over a weekend without having to come into the office.  The thumb drive disappeared.  She claims she last saw it in a pile of papers at home on her dining room table where she was working and fears she accidentally threw it in the trash with the pile of papers by accident.   Is this a HIPAA data breach?  Do I need to report this to someone?

ANSWER: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities (i.e. your medical practice) and their business associates to provide notification following a breach of unsecured protected health information.  I can only assume that the thumb drive your biller took home contained protected health information because this would certainly include the types of information necessary for her to make claims for payment.  Notification of a breach is only required if the protected health information is unsecured.  Were the files on the thumb drive encrypted or secured (i.e. some measure put in place to prevent an unauthorized person from accessing the information)?  

If the protected health information on the thumb drive was not secured then the situation you describe is a data breach and reporting is required unless you can demonstrate that there is a low probability that the protected health information has been compromised based your assessment of the risk taking into account at least the following: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) what you know about any unauthorized person known to have used the protected health information and/or those to whom disclosure was made; (3) whether the protected health information was actually acquired or viewed by an unauthorized person; and (4) the extent to which the risk to the protected health information has been mitigated.

In your case a judgement call has to be made.  There seems to be a low probability that the information has been compromised based on the fact that the thumb drive went straight to your biller’s home and appears to have been accidently thrown in the trash instead of being taken by an unauthorized person.  You must document this risk assessment in writing.  

If you are not comfortable concluding that there is a low probability of compromise then you must determine which type of report(s) must be made.

Individual notice is always required.  Generally, all patients whose protected health information was on the thumb drive must receive written notice by first-class mail without unreasonable delay and in no case later than 60 days following the discovery of a breach including, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches.

If there are more than 500 affected individuals must in addition to individual notice provide notice to prominent media outlets.

Finally, in addition to notifying affected individuals and the media (if more than 500 affected individuals) the Secretary Health and Human Services must be notified.  This can be done electronically by going to the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.


By Daniel J. Schulte, J.D., MSMS Legal Counsel