QUESTION: Our hospital recently addressed a HIPAA breach by a hospital employee. Do we have any obligation to conduct a comprehensive review of that employee’s activities to see if there are any other HIPAA breaches?
ANSWER: HIPAA doesn’t specifically require a hospital to conduct an audit or other type of review to determine if a person who committed one HIPAA breach may have committed other similar (or different) breaches. However, a hospital’s efforts are important in two ways:
- The HIPAA breach notification rule says patients must be notified of a breach within 60 days of when the hospital knows of a breach, or within 60 days of when the hospital would have known of the breach if it had exercised “reasonable diligence.”
- HIPAA penalties are based on the action a hospital takes. If a hospital knows of a breach that may be part of a pattern but chooses not to look for other similar breaches, the hospital could be charged with “willful neglect” and penalized more severely.
The federal government has never said whether “reasonable diligence” means that a hospital must go back a certain amount of time or engage in certain types of activities. Instead, the government has offered the following general guidance:
With respect to those commenters asking for guidance on what it means for a covered entity to be exercising reasonable diligence, we note that the term reasonable diligence, as defined in § 160.401, means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. The determination of whether a person acted with reasonable diligence is generally a factual one, since what is reasonable depends on the circumstances. Factors to be considered include whether a covered entity or business associate took reasonable steps to learn of breaches and whether there were indications of breaches that a person seeking to satisfy the Rule would have investigated under similar circumstances. Covered entities and business associates may wish to look to how other covered entities and business associates operating under similar circumstances conduct themselves for a standard of practice.
78 Fed. Reg. 5566, 5647 (January 25, 2013).