What is a Breach in HIPAA – Overview
A HIPAA breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” In short, anyone who accesses patient data without proper authorization, even accidentally, is performing a HIPAA breach.
When it comes to privacy, healthcare data has the most stringent and restrictive security requirements in the United States. Medical data is seen as completely private to the person and should never be shared outside of the doctor-patient relationship, including insurance carriers and healthcare providers.
As increasing numbers of healthcare providers are using electronic medical records to store and share patient data, HIPAA has set several strict guidelines and rules to regulate this. HIPAA restrictions cover storing and sharing patient medical information during networked transmission, database storage, and mobile devices, such as laptops and tablets.
In the event that a patient’s medical data is compromised, accessed or stolen in any way for any period of time from these locations, this is termed as a HIPAA breach and calls for specific responses and reporting.
HIPAA Violation vs HIPAA Breach
A HIPAA violation is an impermissible disclosure or use of PHI (Protected Health Information) but is not as severe as a breach. HIPAA violation may or may not lead to financial penalties or other sanctions. On the other hand, a HIPAA breach is a serious violation of the HIPAA rules that definitely result in fines, sanctions, and other remedial measures.
HIPAA violation can include inappropriate use of or disclosure of PHI in an organization, such as when an employee discloses a patient’s PHI or other private information without proper authorization.
A HIPAA breach usually includes unauthorized disclosure of PHI to an unauthorized individual or entity or access by an unauthorized individual or an entity to PHI. A HIPAA breach can also include the loss of unsecured PHI, such as unauthorized electronic or physical access to PHI data.
Privacy Rule for HIPAA
HIPAA breaches come under the Privacy Rule, which is one of the three main rules of HIPAA compliance.
- Privacy Rule – The Privacy Rule establishes the fundamentals for the privacy of electronic PHI, including the definition of ePHI. This rule dictates the extent to which patient information must remain private over and above the mandated security, especially when and how it is transmitted or shared, and the person responsible for governing the privacy.
- Security Rule – The HIPAA Security Rule states measures and methods to secure ePHI during storage, access and sharing, such as different aspects of data security like HIPAA encryption, reporting and risk management.
- Breach Notification Rule – This rule dictates the requirements for organizations when a HIPAA security breach occurs. This rule includes guidelines for when, how, and how often the organization needs to notify those affected by a confirmed security breach in healthcare systems.
The Privacy Rule is a keystone of the other regulations because it specifically defines the type of data that is considered to be private and protected. This rule sets the standards for protection, requirements for handling healthcare ePHI and when and how that ePHI can be disclosed, if ever.
Reporting a HIPAA Breach
According to the HIPAA Breach Notification Rule, a breach is an impermissible disclosure of ePHI. Any unauthorized access or impermissible disclosure is termed as a breach unless the organization where the breach has occurred can prove the unlawful access did not compromise confidential patient data.
According to this rule, the organization that has suffered the breach should notify the affected individuals about the data being compromised using a written letter or email and must do so within 60 days of discovering the unlawful data breach. This letter to the patient should contain the following information:
- Description of the HIPAA breach
- Kind of data compromised
- Mitigation efforts were undertaken by the organization
- Steps a patient can take to protect their data and themselves
- Optional information for credit protection (resources to check and monitor credit, etc.)
If the organization cannot contact 10 or more people affected by a HIPAA breach (due to out-of-date information), then the organization must also place a notice on its website informing of this for at least 90 days from the discovery of the breach. In case there are less than 10 individuals whose PHI has been compromised, then the organization must contact the individuals through phone calls or other written notices.
In case the HIPAA breach affects more than 500 individuals, then the organization needs to provide detailed information to prominent media outlets within the state of jurisdiction. Lastly, all affected organizations must inform the Secretary of Health in writing or through an online form.
In many cases, a breach needs to be reported. However, if the affected organization can prove that there is a low probability of hackers having access to ePHI data, then they can forgo the reporting. Still, the following points should be fulfilled in such cases:
- Types of ePHI compromised
- Type of breach and credentials used to access information
- Actual viewing (or not) of PHI data
- The extent of risk against the use of theft of ePHI has been mitigated
Thus, if an affected organization can show that a HIPAA data breach has not exposed patient data due to a lack of credentials or other factors which would make it impossible to steal or view information, then the organization is not required to notify affected individuals. This may be required in the following circumstances:
- An employee of the organization unintentionally accesses patient information as part of their job
- Two authorized people expose ePHI data to each other in the same or different organization
- Data compromised will more likely not be saved outside of the secure system
In case you detect a HIPAA breach in your organization, don’t panic. You can take steps to mitigate the damage from the breach as quickly as possible by performing a risk analysis, which outlines the time of the breach, its cause, and the potential impact of the breach. Next, you should handle any notification requirements and then implement specific security measures to avoid the same mistake again.