MSMS Michigan Medicine November December 2022

6 michigan MEDICINE® | Nov / Dec 2022 When Must a Data Breach be Reported? By Daniel J. Schulte, JD, MSMS Legal Counsel Q: My practice billing person recently missed some time due to an illness. She was a few weeks behind in processing claims. She took home a thumb drive loaded with patient records so that she could work on getting caught up over a weekend without having to come into the office. The thumb drive disappeared. She claims she last saw it in a pile of papers at home on her dining room table where she was working and fears she accidentally threw it in the trash with the pile of papers by accident. Is this a HIPAA data breach? Do I need to report this to someone? ASK OUR LAWYER The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities (i.e. your medical practice) and their business associates to provide notification following a breach of unsecured protected health information. I can only assume that the thumb drive your biller took home contained protected health information because this would certainly include the types of information necessary for her to make claims for payment. Notification of a breach is only required if the protected health information is unsecured. Were the files on the thumb drive encrypted or secured (i.e. some measure put in place to prevent an unauthorized person from accessing the information)? If the protected health information on the thumb drive was not secured, then the situation you describe is a data breach and reporting is required unless you can demonstrate that there is a low probability that the protected health information has been compromised based your assessment of the risk taking into account at least the following: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) what you know about any unauthorized person known to have used the protected health information and/or those to whom disclosure was made; (3) whether the protected health