Question: An employee at our hospital accessed records for which he had no legitimate reason to do so. He didn’t tell anyone outside our hospital about any of the information he accessed. Is this still a reportable breach incident, even though the information didn’t leave our hospital?
Answer: To determine the answer, you must go back to the definition of a breach, which is any acquisition, access, use or disclosure in violation of the HIPAA Privacy Rule, says Jim Sheldon-Dean, founder and director of compliance for Lewis Creek Systems LLC in Charlotte, VT.
In this situation, “somebody looked at the information who wasn’t supposed to look at the information,” Sheldon-Dean notes. That would be an “access” or a “use.”
But Privacy Rule requirements that involve the “minimum necessary” allow for people who will access only the information that they should access and people who access information that they should not — the latter would violate the minimum necessary requirements, Sheldon-Dean explains. “So that would be a reportable breach even though the information didn’t leave your facility — it was a breach within your facility.”