Data security is critical to the healthcare industry. Employees and providers must protect sensitive patient information and comply with regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, despite continuous efforts to make healthcare institutions and their employees more aware of HIPAA data breach best practices, security breach incidents still occur at alarming rates.
Investigations continue to demonstrate that the most severe HIPAA breaches are often due to wrongdoing by an insider, even unintentionally. More significantly, hacking incidents involving ransomware or malware are still increasing.
As an aid to healthcare organizations, the United States Department of Health and Human Services (HHS) provides online HIPAA Basics For Providers: Privacy, Security and Breach Notification Rules. This information contains clear explanations of the rules, as well as good resources for further education.
Healthcare Data Breach Statistics
Statistics reveal an upward trend in healthcare data breaches in recent decades. The HHS reported over 4,000 healthcare data breaches between 2009 and 2021, resulting in the exposure, loss, theft, or unauthorized disclosure of over 300 million records. Those breaches equated to nearly 95% of the United States’ 2021 population. In 2018, reported healthcare breaches occurred at a rate of approximately one incident per day. In 2021, breaches happened at an average daily rate of 1.95, nearly doubling from three years prior. Statistics from 2009 onward reveal that hacking is the leading cause of breaches, although healthcare organizations have become much more effective at combating these attempts in recent years. However, in 2021, 528 hacking incidents occurred, an increase of nearly 100 from the previous year. The number of insider breaches has plateaued at around 147 annual incidents.The Importance of Data Security
The HHS reports that two HIPAA-covered organizations wrongly shared 6,800 personal health records online, including individuals’ medications and lab results. The organizations were fined $4.8 million and had to agree to take corrective plans of action. Another example shared is a hospital worker who pleaded guilty to attempting personal gain from illegally obtained protected health information (PHI), and then faced a maximum 10-year prison sentence. Various personnel with different types of access across multiple organizations encounter sensitive health information daily. Because many people have access to this data, healthcare organizations must carefully evaluate how they handle PHI while ensuring they have the proper compliance protocols established to protect the information. Today, because healthcare organizations electronically store PHI data on computers, network servers and hand-held devices, these electronic records face increased risk of malicious attacks that can lead to a data breach. Staying compliant with HIPAA regulations means training employees appropriately, using internal processes geared toward HIPAA compliance, and utilizing sufficient technology to ensure protection. Appropriate internet protocols and effective cybersecurity measures are critical for keeping this information confidential. The moment that a party gains access to this data without the patient’s consent, a HIPAA breach occurs. Even if the sharing of the information was unintentional, it could mean major legal ramifications for the organization.What Is the HIPAA Security Rule and What Constitutes a HIPAA Breach?
The HIPAA Security Rule entails national standards to protect a patient’s medical records and other health information by setting limits on use of this information without the patient’s authorization. Healthcare organizations primarily use electronic methods to maintain patient records, so these privacy rules have multiple regulatory layers surrounding digital media, including network transmissions and data storage in computers laptops, or mobile devices. If an unauthorized party compromises, accesses or steals medical information in any of these locations, it becomes a HIPAA breach that calls for specific responses and reporting, Unless the affected healthcare organization can prove that the unlawful access did not compromise a patient’s protected health information, unauthorized access is considered a breach.What to Do When Your HIPAA Data Has Been Breached
It’s crucial for healthcare organizations and their business associates to respond rapidly and appropriately to a potential HIPAA breach. Some of the immediate actions for minimizing liability and mitigating a violation include:- Stop the breach. Immediately terminate access to PHI to help reduce a breach’s effects.
- Contact the privacy officer. Each covered organization must have a privacy officer with experience and training to investigate and respond to a breach appropriately. Reporting deadlines typically begin when anyone in the organization first discovers the violation, so it should be reported as soon as possible. The privacy officer will also ensure all the proper steps are taken.
- Mitigate the impact. HIPAA requires that a covered entity mitigate a breach’s harmful consequences to every possible extent. These efforts could include:
-
- Retrieving, deleting, or destroying the disclosed PHI.
- Wiping an electronic device of PHI.
- Warning the responsible party of the penalties of the breach and attempt to obtain assurances they have not and do not plan to use the PHI.
- Document everything. Compiling all details of the breach is critical to the investigation, including the type and amount of PHI accessed, used, or disclosed, why the parties had access to it, what it was used for, and steps taken to mitigate the impact. Investigators must also ensure no redisclosure.
- Correct the breach. An organization can avoid HIPAA penalties if it does not commit the violation willingly and corrects the problem within 30 days. The organization can help remedy the breach by:
-
- Changing their privacy or access procedures.
- Implementing new preventive measures.
- Modifying existing policies.
- Training employees on security measures.
- Determine whether the breach requires reporting to the HHS. Unless the covered entity establishes a low probability that the information was compromised, the unauthorized disclosure or impermissible use of PHI is classified as a breach. Exceptions include unintentional acquisition and inadvertent disclosure of the PHI. The HHS’s Definition of a Breach outlines factors involved in the risk assessment.
- Report the breach, if required. If the violation requires reporting under the notification rule, the organization or business associate must compile all necessary reports. Failure to report the breach can indicate possible willful neglect, triggering mandatory penalties for the violation. Organizations must also notify the affected individual, HHA Secretary, and media (in some cases).
HIPAA Breach Notification Rules and Requirements
Following a HIPAA breach, the HIPAA Breach Notification Rule requires HIPAA-covered organizations and their associates to notify these patients within 60 days of discovering unlawful access. Others that must be notified include:- Prominent media outlets serving the area if a breach affects more than 500 people in a state or jurisdiction.
- The Secretary of Health and Human Services via a report on the HHS website.
Preventing Future Breaches
The best way to avoid to HIPAA breaches is by taking preventative measures rather than responding after the fact. Organizations should:- Implement effective policies and technical safeguards, and continuously monitor them.
- Train and retrain staff members on HIPAA obligations and the consequences of a potential breach.
- Purchase suitable privacy insurance to help cover the fines if a breach does occur.
- Include indemnifications and other provisions in business associate agreements are also beneficial.