What is a Breach in HIPAA – Overview
A HIPAA breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” In short, anyone who accesses patient data without proper authorization, even accidentally, is performing a HIPAA breach.
Regarding privacy, healthcare data has the most stringent and restrictive security requirements in the United States. Medical data is seen as entirely private to the person and should never be shared outside of the doctor-patient relationship, including insurance carriers and healthcare providers.
As increasing numbers of healthcare providers use electronic medical records to store and share patient data, HIPAA has set several strict guidelines and rules to regulate this. HIPAA restrictions cover storing and sharing patient medical information during networked transmission, database storage, and mobile devices like laptops and tablets.
If a patient’s medical data is compromised, accessed, or stolen in any way for any period of time from these locations, this is termed a HIPAA breach and calls for specific responses and reporting.
HIPAA Violation vs HIPAA Breach
Both HIPAA violations and breaches concern the impermissible use or disclosure of Protected Health Information (PHI). The distinction lies in their severity, context, and resultant actions required. A HIPAA breach refers explicitly to a subset of violations that involve the unauthorized acquisition, access, use, or disclosure of PHI, which compromises the security or privacy of the information. All breaches are violations, but not all violations meet the criteria for a breach requiring notification. Whether a violation results in financial penalties depends on various factors, including the nature and extent of the PHI involved, the harm resulting from the violation, and the entity’s compliance history.
HIPAA violation can include inappropriate use of or disclosure of PHI in an organization, such as when an employee discloses a patient’s PHI or other private information without proper authorization.
A HIPAA breach usually includes the unauthorized disclosure of PHI to an unauthorized individual or entity or access by an unauthorized individual or entity to PHI. It can also include the loss of unsecured PHI, such as unauthorized electronic or physical access to PHI data.
Privacy Rule for HIPAA
HIPAA breaches fall under the Privacy Rule, one of the three main rules of HIPAA compliance.
- Privacy Rule – The HIPAA Privacy Rule establishes national standards for the protection of all Protected Health Information (PHI), not exclusively electronic PHI (ePHI). It applies to PHI in any form, including paper and oral. The Privacy Rule regulates how PHI may be used and disclosed by covered entities and gives individuals rights over their health information. This rule dictates the extent to which patient information must remain private over and above the mandated security, mainly when and how it is transmitted or shared, and the person responsible for governing the privacy.
- Security Rule – The HIPAA Security Rule states measures and methods to secure ePHI during storage, access and sharing, such as different aspects of data security like HIPAA encryption, reporting and risk management.
- Breach Notification Rule – This rule dictates the requirements for organizations when a HIPAA security breach occurs. This rule includes guidelines for when, how, and how often the organization needs to notify those affected by a confirmed security breach in healthcare systems.
The Privacy Rule is a keystone of the other regulations because it specifically defines the type of data considered private and protected. This rule sets the standards for protection, requirements for handling healthcare ePHI and when and how that ePHI can be disclosed, if ever.
Reporting a HIPAA Breach
According to the HIPAA Breach Notification Rule, a breach is an impermissible disclosure of ePHI. Any unauthorized access or impermissible disclosure is termed a breach unless the organization where the breach occurred can prove the unlawful access did not compromise confidential patient data.
The HIPAA Breach Notification Rule requires covered entities to notify affected individuals following a breach of unsecured PHI without unreasonable delay and in no case later than 60 days following the discovery of the breach. Notifications must be made in writing by first-class mail, or by email if the affected individual has agreed to receive electronic notices. This letter to the patient should contain the following information:
- Description of the HIPAA breach
- Kind of data compromised
- The organization undertook mitigation efforts
- Steps a patient can take to protect their data and themselves
- Optional information for credit protection (resources to check and monitor credit, etc.)
If the organization cannot contact 10 or more people affected by a HIPAA breach (due to out-of-date information), it must also place a notice on its website informing of this for at least 90 days from the discovery of the breach. If there are fewer than 10 individuals whose PHI has been compromised, the organization must contact them through phone calls or other written notices.
Suppose a breach affects 500 or more individuals in a state or jurisdiction. In that case, the covered entity must notify prominent media outlets in that state or jurisdiction, the affected individuals, and the Secretary of HHS. This notification must also occur without unreasonable delay and no later than 60 days after discovering the breach. Lastly, all affected organizations must inform the Secretary of Health in writing or through an online form.
In many cases, a breach needs to be reported. However, if the affected organization can prove a low probability of hackers having access to ePHI data, they can forgo the reporting. Still, the following points should be fulfilled in such cases:
- Types of ePHI compromised
- Type of breach and credentials used to access information
- Actual viewing (or not) of PHI data
- The extent of risk against the use of theft of ePHI has been mitigated
Thus, if an affected organization can show that a HIPAA data breach has not exposed patient data due to a lack of credentials or other factors that would make it impossible to steal or view information, then the organization is not required to notify affected individuals. This may be necessary in the following circumstances:
- An employee of the organization unintentionally accesses patient information as part of their job
- Two authorized people expose ePHI data to each other in the same or different organization
- Data compromised will more likely not be saved outside of the secure system
Conclusion
If you detect a HIPAA breach in your organization, don’t panic. You can take steps to mitigate the damage as quickly as possible by performing a risk analysis, which outlines the time of the breach, its cause, and the potential impact of the breach. Next, you should handle any notification requirements and then implement specific security measures to avoid the same mistake again.
See Also
HHS HIPAA Regulations and Requirements
How to Get Medical Records Online for Free
Medical Law and Ethics in the USA
HIPAA Medical Records Release Laws
- https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html#:~:text=A%20breach%20is%2C%20generally%2C%20an,of%20the%20protected%20health%20information.
- https://www.ama-assn.org/practice-management/hipaa/hipaa-breach-notification-rule
- https://hipaasurvivalguide.com/hipaa-regulations/164-402.php
Follow us