How to Avoid Unnecessary Breach ReportingAttorney Helen Oscislawski on Assessing PHI Privacy, Security Incidents
Healthcare organizations need to diligently assess whether a security incident involving patient information truly qualifies as a reportable breach under HIPAA to avoid needlessly reporting it to federal regulators, says regulatory attorney Helen Oscislawski.
"I want organizations to know that when you come across an incident, you need to take a look at the facts and circumstances and keep in mind that ... reporting and notification is only legally required when there is more than a low probability that the protected health information has been compromised," she says in an interview with Information Security Media Group.
"Whether PHI has been compromised is yet another legal standard requiring the evaluation of four factors that the Department of Health and Human Services laid out in the [HIPAA breach notification] rule," she notes.
"The consequences of not going through all that thorough analysis is that any incident [affecting 500 or more individuals] that is reported will be investigated and a HIPAA compliance review conducted by HHS Office for Civil Rights," she points out. And that could result in an OCR enforcement action - or possibly a lawsuit by individuals who believe they were harmed by the incident, she notes.
In the interview (see audio link below photo), Oscislawski also discusses:
- Potential circumstances when insider security or privacy incidents might not qualify as reportable breaches;
- Circumstances when ransomware incidents result in reportable breaches;
- Possible breach scenarios involving the COVID-19 outbreak;
- Other potential breach reporting and response mistakes to avoid.
Oscislawski, founding member of law firm Attorneys at Oscislawski LLC based in Princeton, New Jersey, is a corporate and regulatory attorney whose practice over the last 20 years has focused almost exclusively on advising and representing clients in the healthcare industry. In 2008, New Jersey Governor Jon Corzine appointed Oscislawski to the New Jersey Health Information Technology Commission. In 2010, she was re-appointed to NJ-HITC by Governor Chris Christie and tapped to serve as chair of the Privacy and Security Committee for the New Jersey HIT Coordinator.