HIPAA Breach [What It Is & How to Handle the Aftermath]
Your organization has had a HIPAA breach—now what do you do? Who do you notify, and what must you tell them? Are you subject to penalties?
We’ll explain that and much more below.
What Is a HIPAA Breach?
A HIPAA breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This means if someone else accesses the patient data unlawfully– even accidentally–that’s a breach.
In terms of protections, healthcare data has some of the most restrictive and stringent security requirements in the U.S. There is a good reason for this: medical data is typically seen as completely private to the person involved in a way such that it should never be shared outside of the relationship between a patient and their doctor, healthcare provider or insurance payor.
With healthcare organizations primarily utilizing electronic methods to store and transmit patient records, HIPAA has set up several layers of regulations and controls around digital media, including networked transmission, database storage, and mobile computers like tablets and laptops. If medical data is compromised, accessed, or stolen in any way for any length of time in any of these locations, it will be termed a HIPAA breach that will call for specific responses and reporting.
In 2013, the HIPAA Omnibus Rule modified what “breach” means in legal terms and extended legal liability for those breaches to “Business Associates” (third-party contractors and companies working in the healthcare industry alongside providers).
What Is the Difference Between a HIPAA Violation and a HIPAA Breach?
A HIPAA violation is an impermissible use or disclosure of protected health information (PHI) that is less severe than a breach. A HIPAA violation may or may not lead to a financial penalty or other sanctions, while a breach is a serious violation of HIPAA rules that can lead to sanctions, fines, and other corrective action. A HIPAA violation may involve the inappropriate use or disclosure of PHI within an organization, such as an employee disclosing a patient’s PHI or other related information without authorization.
A HIPAA breach, by contrast, typically involves the unauthorized disclosure of PHI to an unauthorized individual or entity, or the access by an unauthorized individual or entity to PHI. A breach can also include the loss of unsecured PHI, such as in the case of unauthorized physical or electronic access.
Is a Ransomware Attack Considered a Breach of HIPAA?
Yes, a ransomware attack is considered a breach of HIPAA and will trigger HIPAA’s notification requirements. HIPAA requires covered entities and their business associates to notify individuals and the Department of Health and Human Services (HHS) of any breaches of unsecured protected health information (PHI).
Why Are There So Many More Data Breaches in The Healthcare Sector Than in Other Sectors?
There are several factors that contribute to the high number of data breaches in the healthcare sector. One of the main reasons is that healthcare organizations tend to store more sensitive personal data—such as medical records, insurance information, and payment information—than other industries. This data is highly lucrative on the dark web, as it can be used to commit identity theft and insurance fraud.
Second, this sensitive PHI is stored on multiple systems, not just computers and servers but on an overwhelming number of different medical devices and hand-held devices. These devices are engineered for functionality first and foremost; device security is seldom, if ever, a priority. These devices are also easy to misplace and even easier to exploit. Medical device security, in fact, is a serious risk management issue.
What Is the Privacy Rule for HIPAA?
More specifically, HIPAA breaches fall under the Privacy rule, which is one of the three major rules of HIPAA compliance:
- The Privacy Rule. This rule establishes the basics for the privacy of electronic Personal Health Information (ePHI), including defining what ePHI actually is. This rule also defines to what extent patient information must remain private beyond security in terms of how it is transmitted and shared, and who is responsible for governing that privacy.
- The Security Rule. The Security Rule defines methods and measures for securing ePHI through storage, transmission, and access. This includes definitions for aspects of data security like HIPAA encryption, risk management, and reporting.
- The Breach Notification Rule. This aspect governs requirements for organizations when a security breach occurs. Includes guidelines for when, how, and how often to notify those affected by security breaches in healthcare systems.
The Privacy Rule is the cornerstone of the other rules because it literally defines what data is considered personal and protected. It sets the standards for protection, what is required by organizations handling healthcare ePHI, and when and how that ePHI can be disclosed, if ever.
When and How Should I Report a HIPAA Breach?
The HIPAA Breach Notification Rule defines a breach as an impermissible disclosure of ePHI. Any unauthorized or impermissible disclosure is considered a breach unless the organization affected can prove that unlawful access did not compromise confidential health data.
According to the rule, the affected organization must notify affected individuals of the data that has been compromised in writing or by email, and they must do it within 60 days of discovering the unlawful access. The letter should include the following information:
- A description of the HIPAA breach.
- The kinds of data being compromised.
- Mitigation efforts that are taken by the organization.
- The steps a patient should take to protect themselves or their data.
- Optional information for credit protection, including resources to check and monitor their credit or place a fraud notification on their credit report.
If the organization cannot reasonably contact 10 or more people affected (due to out-of-date information) then it must also place a notice on their website for at least 90 days after the discovery of the breach. If there are 10 or fewer individuals, then the affected organization can use telephone calls or other written notices.
If the HIPAA breach impacts more than 500 individuals, then the organization must further provide information to prominent media outlets within the state of jurisdiction.
Finally, all affected organizations must inform the Secretary of Health in writing or through an online form.
In most cases, a breach must be reported. The exception to this rule is if the affected organization can show that there is a low probability that hackers accessed or stored ePHI by performing a risk assessment based on the following factors:
- The types of ePHI affected.
- The type of breach and the credentials used to access it.
- The actual viewing (or not) of the data.
- The extent where the risk against the use or theft of the ePHI has been mitigated.
That is, if a healthcare organization can show that a data breach didn’t expose data due to lack of credentials or some combination of factors that would make it impossible to be stolen or viewed, then the organization can forego notifying affected parties. This can look like a few mistakes:
- An employee unintentionally accesses patient information accidentally as part of their job.
- Two authorized people expose data to each other in the same or different organization.
- The data compromised will, most likely, not be saved outside of secure systems.
What If I Accidentally Violate HIPAA?
Not all HIPAA security violations are due to willful neglect. With such complex requirements and potential attack vectors, it can be understandable if an organization accidentally misses HIPAA compliance requirements. Doctors, for example, may send messages to one another that contains ePHI to expedite emergency treatment. In these cases, secure systems can mitigate larger consequences of disclosure without compromising the ability of a healthcare worker to act quickly and decisively.
Predominantly, there are several ways to accidentally violate HIPAA:
- Intentional avoidance: As when a doctor shares information outside compliant channels to expedite emergency treatment.
- Accidental exposure: Disclosure made without intention to do so.
- Intentional disclosure: Either due to theft or hacking. Most often occurs due to an individual within the organization.
If you or your healthcare organization accidentally violate HIPAA, you should report it within 60 days of discovery of the violation. The earlier you send the notification the better, to avoid the fallout from lost data.
Following the accidental violation, complete any requirements for a HIPAA violation that your organization must comply with (reporting, notifications, etc.). It may be the case that, since data access was unintentional, in which case the actual compliance requirements might be relatively small.
If the accidental violation was any of the potential examples above (accessed in good faith internally, between two authorized people, or there is evidence the data will not be retained outside of the organization) then you may not have to worry too much about the violation.
Designating a violation as accidental has real meaning when it comes to fines. Penalties for violations can range from $100 to $50,000 per incident (per record compromised) depending on the kind of data, the source of the vulnerability, and whether or not it was accidental or due to willful negligence.
How Can I Mitigate the Impact of a HIPAA Breach?
If a breach happens, you don’t need to panic, but you do need to take steps to mitigate the damage from the breach as soon as possible.
- Perform a risk analysis. This analysis outlines the timeline of the breach, the cause, and the potential impact of the breach based on the information gathered. This is where you can determine where violations may have occurred and trace accountability through your organization. You’ll also want to determine the kind of data stolen and who has been affected.
- Handle any notification requirements your organization may have based on the HIPAA notification rule. You’ll also want to contact law enforcement plus any third-party security firms you have relationships with.
- Implement specific security measures to counteract the breach. If the breach was associated with a blatant disregard for compliance, then correcting the problem should be easy, if costly in terms of time, money, and reputation.
The best mitigation, overall, is predictive prevention. Having compliant and secure solutions for data storage, transmission, and HIPAA-compliant email while working with an expert firm and/or platform provider can help head off potential problems before they become major breaches.
Work With Kiteworks to Stay HIPAA Compliant and Avoid Breaches
Take steps to secure patient data with the strongest encryption and security measures around. The best place to start is with your day-to-day storage and file transfer technology, and that’s where Kiteworks can help.
Secure Kiteworks systems can support rapid and secure data transfer and file sharing that maintains compliance without hampering efficiency. Secure endpoints and messaging make it simple to share PHI between workers to maintain treatment even in emergency circumstances.
Furthermore, our extensive and comprehensive audit trail provides you with the documentation you need to track who accesses data, when, where and how through a comprehensive CISO dashboard.
Finally, threat analytics and our managed SIEM solutions, built into dedicated private cloud storage, ensures that you can monitor system events effectively and act on problematic activity.
With secure managed file transfer services and secure content firewall technology, you can rest assured that your file management is compliant with HIPAA rules.
To learn how Kiteworks can keep you HIPAA compliant, schedule a custom demo of Kiteworks today.