Question: An employee at our general surgery practice accessed records for which he had no legitimate reason to do so. He didn’t tell anyone outside our office about any of the information he accessed. Is this still a reportable breach incident, even though the information didn’t leave our office?
Codify Subscriber
Answer: To find the answer, you must go back to the definition of a breach — any acquisition, access, use or disclosure in violation of the HIPAA Privacy Rule, says Jim Sheldon-Dean, director of compliance services for Lewis Creek Systems LLC in Charlotte, Vermont.
In this situation, “somebody looked at the information who wasn’t supposed to look at the information,” Sheldon-Dean notes. That would be an “access” or a “use.”
Having an employee access information that he has no need to violates the “minimum necessary” standard of the privacy rule, which allows only employees who have need to access private data. “So that would be a reportable breach, even though the information didn’t leave your office — it was a breach within your office.”