What to Do When Your HIPAA Data Has Been Breached

Data security is critical to the healthcare industry, as providers must be sure to protect sensitive patient information and comply with regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, despite continuous efforts to make healthcare institutions and their employees more aware of HIPAA data breach best practices, security-breach incidents still occur at alarming rates.

Investigations continue to demonstrate that the most severe HIPAA breaches are often due to wrongdoing by an insider. More significantly, hacking incidents involving ransomware or malware are still rising.

Although it’s good news that healthcare organizations are disclosing breaches to the United States Department of Health and Human Services (HHS) faster, many fail to report within the 60-day window required for large breaches, after which they can face civil penalties and monetary fines.

As an aid to healthcare organizations, the HHS provides online HIPAA Basics For Providers: Privacy, Security and Breach Notification Rules. This information contains clear explanations of the rules as well as good resources for further reading. But as a warning to organizations that might not take the rules seriously enough, it reports that when two HIPAA-covered organizations wrongly shared 6,800 personal health records online — including individuals’ medications and lab results — the organizations were fined $4.8 million and had to agree to take corrective plans of action.

In addition, when a hospital worker pleaded guilty to attempting personal gain from illegally obtained protected health information (PHI), that former worker faced a maximum 10-year prison sentence.

The Importance of Data Security

Various personnel with different types of access across multiple organizations come into contact with sensitive health information daily. Because many people have access to this data, healthcare organizations must carefully evaluate how they handle PHI while ensuring they have the proper compliance protocols established to protect the information.

In the past, protecting PHI was more manageable because most records were on paper locked away in filing cabinets. Today, however, healthcare organizations electronically store this data on computers, network servers and hand-held devices. Electronic records face increased risk of malicious attacks that can lead to a data breach.

Appropriate internet protocols and effective cybersecurity measures are critical for keeping this information confidential. The moment that a party without the patient’s consent gains access to this data, a HIPAA breach occurs, even if the sharing of the information was unintentional. Staying compliant with HIPAA regulations means training employees appropriately, using internal processes geared toward HIPAA compliance and utilizing sufficient technology to ensure protection.

What Is the HIPAA Security Rule and What Constitutes a HIPAA Breach?

The HIPAA Security Rule entails national standards to protect a patient’s medical records and other health information by setting limits on use of this information without the patient’s authorization. As healthcare organizations primarily use electronic methods to maintain patient records, these privacy rules have multiple regulatory layers surrounding digital media, including network transmissions and storage in computers, laptops or mobile devices. If an unauthorized party compromises, accesses or steals medical information in any of these locations, it becomes a HIPAA breach that calls for specific responses and reporting.

Any unauthorized or impermissible disclosure becomes a breach unless the affected healthcare organization can prove that the unlawful access did not compromise a patient’s protected health information. The HIPAA Breach Notification Rule requires HIPAA-covered organizations and their associates to notify patients within 60 days of discovering unlawful access.

Healthcare Data Breach Statistics

Statistics reveal an upward trend in healthcare data breaches in recent decades. The HHS office reported over 4,000 healthcare data breaches between 2009 and 2021, resulting in the exposure, loss, theft or unauthorized disclosure of over 300 million records. Those breaches equated to nearly 95% of the United States’ 2021 population.

In 2018, reported healthcare breaches occurred at approximately one incident per day. In 2021, breaches happened at an average daily rate of 1.95, nearly doubling from three years prior.

Statistics from 2009 onward reveal that hacking is the leading cause of breaches, although healthcare organizations have become much more effective at combating these attempts in recent years. In 2021, 528 hacking incidents occurred, an increase of nearly 100 from the previous year. The number of insider breaches has plateaued at around 147 annual incidents.

HIPAA Breach Notification Rules and Requirements

Following a HIPAA breach, covered entities must notify the affected individual, the Secretary of Health and Human Services, and in some circumstances, a local media outlet of the incident. Business associates of a covered entity must notify the entity if they’re responsible for a breach.

Organizations must inform the individual of the incident via United States mail or email within 60 days of discovery. If the breach affects over 500 people in a state or jurisdiction, the organization must provide the incident details to prominent media outlets serving the area. In addition, covered entities must notify the HHA Secretary by submitting a report on the HHS website.

What to Do When Your HIPAA Data Has Been Breached

When considering the possible consequences, it’s crucial for healthcare organizations and their business associates to respond rapidly and appropriately to a potential HIPAA breach. Some of the immediate actions for minimizing liability and mitigating a violation include:

• Stop the breach: Immediate action can help reduce or even nullify a breach’s effects. Initial steps involve terminating access to PHI, retrieving the disclosed PHI and obtaining assurances from recipients that they have not used the PHI and do not plan to do so in the future. It’s critical to sufficiently document all responses during this stage.
• Contact the privacy officer: Each covered organization must have a privacy officer with the experience and training to investigate and respond to a breach appropriately. Reporting deadlines typically begin when anyone in the organization first discovers the violation, aside from the person responsible for the incident.
• Respond promptly: Quick action is vital because affected organizations are obligated to mitigate the effects of a breach. These actions can potentially help prevent or minimize the impact of future incidents, which is a deciding factor in whether the breach requires reporting. In addition, an organization or associate may avoid potential penalties if they correct a violation within 30 days of its occurrence.
• Investigate thoroughly: Compiling all the essential details is critical to the investigation, including determining the person who committed the breach and identifying the parties that may have received the PHI. Investigators should confirm the type and amount of PHI accessed, used or disclosed and why the parties had access to it. Investigators must also ensure no redisclosure.
• Mitigate the breach’s impact: HIPAA requires that a covered entity mitigate a breach’s harmful consequences to every possible extent. These efforts could include retrieving, destroying or deleting the PHI. In addition, the organization can minimize the breach’s effects by terminating access, wiping an electronic device or warning the responsible party of the potential penalty.
• Correct the breach: An organization can avoid HIPAA penalties if it does not commit the violation willingly and corrects the problem within 30 days. The organization can help remedy the breach by changing procedures, implementing preventive measures, modifying existing policies and training employees in improved security measures.
• Determine whether the breach requires reporting to the HHS: The unauthorized disclosure or impermissible use of PHI is classified as a breach unless the covered entity establishes a low probability that the information was compromised. The HHS’s Definition of Breach outlines the factors involved in the risk assessment. Breach exceptions include unintentional acquisition and inadvertent disclosure of the PHI.
• Report the breach if required: If the violation requires reporting under the notification rule, the organization or business associate must compile the necessary reports. Failure to report the breach can indicate possible willful neglect, triggering mandatory penalties for the violation. Organizations must notify the affected individual, the HHA Secretary, and in some cases, the media.

Preventing Future Breaches

The best solution to HIPAA breaches is avoiding them entirely rather than responding to them after the fact. Organizations should ensure they take preventive measures by implementing effective policies and technical safeguards and continuously monitoring them. Training and retraining staff members on HIPAA obligations and the consequences of a potential breach is also a vital part of the solution.

Leveraging experiences from past breaches to improve performance is instrumental in preventing future incidents. Purchasing suitable privacy insurance can help cover the fines if a breach does occur. Including indemnifications and other provisions in business associate agreements is also beneficial.

In addition, a HIPAA-compliant fax service, like the cloud faxing services offered by Softlinx, can fortify a provider’s methods of protecting private patient information and other sensitive data.

Softlinx Helps Those Looking to Prevent a Future Data Breach

Moving forward from any data breach usually means establishing smarter document handling protocols. Any good data management system must also allow your business to grow and remain responsive to your clients’ needs. Our HIPAA-compliant cloud faxing services and other solutions can help you achieve these objectives.

Connect with us online or call 800-899-7724 today to learn more about Softlinx cloud faxing and how it can benefit your organization.