Question: An employee at our hospital accessed records for which he had no legitimate reason to do so. He didn’t tell anyone outside our hospital about any of the information he accessed. Is this still a reportable breach incident, even though the information didn’t leave our hospital?
Idaho Subscriber
Answer: To determine the answer, you must go back to the definition of a breach, which is any acquisition, access, use, or disclosure in violation of the HIPAA Privacy Rule. In this situation, a person accessed the information who wasn’t entitled to look at it. That would be an “access” or a “use.”
But Privacy Rule requirements that involve the “minimum necessary” allow for people to access the information only that their work entitles or requires them to, and refrain from accessing information that is not within their scope of work. The latter would violate the minimum necessary requirements. So, that would be a reportable breach. Even though the information didn’t leave your facility, it was a breach within your facility.