Question
Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"I was recently reviewing the Breach Notification Rule after we had an employee access some patient data they should not have, and I saw a section that talked about the “burden of proof.” Can you explain that section and what it means for us, in the event that we need to defend ourselves in this situation?"
Thank you for submitting this question! I don’t often get to explain nerdy legal theories like the burden of proof. That being said, this is a very important concept to understand.
The HIPAA Law
Let’s take a look at what HIPAA says about the burden of proof and how that can help us prepare for an event like you are experiencing.
The term “burden of proof” is incredibly important in legal contexts because it defines who has the responsibility of backing up legal claims and how much evidence is necessary to prove them. In other words, it defines who needs to prove what in order to win a case. Different types of cases have different requirements.
Thanks to "Law & Order," we are all familiar with the burden of proof in criminal cases, right? The prosecution must prove a defendant's guilt beyond a reasonable doubt. During my short stint as a county prosecutor, the opposing defense attorney would spend a good chunk of time explaining this concept to my juries to make sure they knew exactly what I had to prove in order to win. The defendant was presumed to be innocent until I proved he was guilty beyond a reasonable doubt. That is a stiff burden of proof on the prosecution, and it makes a lot of sense in criminal cases where people will be losing their liberty, and maybe their life if convicted.
The burden of proof under HIPAA isn’t quite so favorable to the accused. There are a few sections of the HIPAA law to consider. The first one we need to look at is section 160.534(b). This section states that the government does ,usually, have the burden to prove that a covered entity violated HIPAA and they need to prove it by a preponderance of the evidence. "Preponderance of the evidence" requires much less evidence than “beyond a reasonable doubt”. It basically means that they need to prove that it’s more likely than not that a violation occurred, so think 51% likely. In addition to this lower standard of proof, this section also states that, in certain circumstances, the covered entity actually has the burden of proving that they did what they were supposed to in cases dealing with breach notification.
That brings us to the next section we need to look at, section 164.414(b). It says that in the event of any breach, your practice has the burden of proving that either all appropriate breach notifications were made as required, or that the incident did not meet the definition of a breach. In the definition of “breach”, in section 164.402, we find that any security incident is presumed to be a breach, unless the covered entity can prove there is a low probability that the protected health information has been compromised based on their risk assessment.
So, unlike in criminal cases where defendants are presumed to be innocent and their guilt must be proven beyond a reasonable doubt, when it comes to complying with HIPAA breach notifications, you are presumed to be guilty unless you can prove that it is more likely than not that there is a low probability any PHI was compromised.
Practice Implementation
So what does this mean for your practice? Well, I think there are a few take a ways. First, if you have watched many of my videos in Bite-Size HIPAA®, you have heard me say document, document, document about a hundred times (now a hundred and three). This is because if you are accused of a breach, you will need to produce hard evidence to prove your innocence. Could you show what your procedures are for protecting the privacy and security of PHI as well as demonstrate that your employees have been trained on those procedures?
Second, make sure your IT company is monitoring and logging all activity on your practice’s network. This is a must. If you suffer a ransomware attack or other technical security incident, the only way you can avoid notifying all your patients and the media is if you have security logs proving that no PII or PHI left the network. This is not easy to do, so you need a knowledgeable IT security professional to help.
Finally, don’t be afraid to report a breach when it happens, because it will happen. There is a presumption that any security incident is a breach, it is safest to err on the side of caution and report security incidents when they happen. A practice that never reports breaches ends up looking more suspicious than a practice that has a history of reporting seemingly minor breaches that were handled successfully and learned from. Catching an employee looking at a patient chart they should not have accessed is not a huge breach in the grand scheme of things. Go ahead and sanction the employee, complete an incident report, let the affected patient know, train your staff on your privacy procedures again, and submit a report to HHS online. That is a better plan than trying to pretend the incident didn't happen.
Summary
To summarize, the burden of proof under HIPAA is not on the side of covered entities, especially when it comes to breach notification. Make sure you are documenting your HIPAA compliance, have a good security logging system in place, and report security incidents. Unless you can prove that no PHI was compromised.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.