Is having theoretical access to PHI a HIPAA breach, even if no one accesses it?

Question

This is an entirely hypothetical question.

Lets say a clinic has a computer in their waiting room for checking email, surfing the web etc. while patients wait. Lets also assume whoever signed this up wasn't thinking, and this machine is just sitting on an unsecured network for the clinic, and can access patient files stored on other systems.

Lets assume however that all the users of this are well-intentioned, computer illiterate people who click on the Firefox icon and nothing else - they never actually access the patient data, they just could.

Is this, by itself, a HIPAA breach, and if so, how large of a breach is it?

Answer 1

Just going by the guidance on the US Heath & Human Services website:

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

"Disclosure" implies that the data was disclosed to someone, which is not true in your example. Also, it does not seem like there was "significant risk of ... harm" if nobody actually saw the data.

Another mitigating factor: Although the terminal might be unlocked, a HIPAA-compliant patient data system will have an idle lockout for precisely this reason. Also they will have audit trails of whether that user accessed any patient data, so you would know for certain if there were an actual breach.

Editing to add based on my comment to @Alex:

Leaving patient data on an unsecured network is a violation of HIPAA Privacy Rule and a very bad thing in general. However, the breach does not occur until someone takes advantage of that security hole.

Answer 2

they never actually access the patient data, they just could.

It may not be a breach of PHI as defined by law until someone touches it -- depends how your lawyer sees the word 'disclosure' -- but it's a breach in the English language sense of HIPAA rules. PHI should either be locked behind a closed system, or encrypted. A system isn't closed if it's accessible by people who have no business with it.

As for the well-meaning computer illiterates, it's a matter of time before a bored patient (or child of patient) starts exploring.

edit: I would actually never recommend leaving even encrypted PHI in an accessible location.

Answer 3

The important thing as far as defining a breach is when you need to disclose that a breach occurred. Certainly part of this is a legal question and I'm not a lawyer. You'll find this series of posts about when to disclose interesting: http://www.emrandhipaa.com/tag/jan-mcdavid/

Here's a section of one of the articles: First and foremost, you do not have to notify the patient each and every time there is a breach of protected health information (PHI). The law requires notification only if you meet one of two conditions: 1) When 500 or more records have been breached at the same time, you must notify the patients involved, OR 2) When you as the covered entity (CE) have conducted the required “risk analysis” and determined the patient (or patients) could suffer substantial financial or reputational harm.

Answer 4

I just attended a conference put on by a law firm, they said that a hosptial was fined a substantial amount of money because the cleaning crew had access to the medical records and Employee records room after hours when no one was in the offices.

They where hospital employees that has HIPAA training, but it was a fine for a situation that could have lead to a PHI breach.