Your organization has had a HIPAA breach—now what do you do? Who do you notify, and what must you tell them? Are you subject to penalties?
We’ll explain that and much more below.
What Is a HIPAA breach?
A HIPAA breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This means if someone else accesses the patient data unlawfully– even accidentally–that’s a breach.
In terms of protections, healthcare data has some of the most restrictive and stringent security requirements in the U.S. There is a good reason for this: medical data is typically seen as completely private to the person involved in a way such that it should never be shared outside of the relationship between a patient and their doctor, healthcare provider or insurance payor.
With healthcare organizations primarily utilizing electronic methods to store and transmit patient records, HIPAA has set up several layers of regulations and controls around digital media, including networked transmission, database storage, and mobile computers like tablets and laptops. If medical data is compromised, accessed, or stolen in any way for any length of time in any of these locations, it will be termed a HIPAA breach that will call for specific responses and reporting.
In 2013, the HIPAA Omnibus Rule modified what “breach” means in legal terms and extended legal liability for those breaches to “Business Associates” (third-party contractors and companies working in the healthcare industry alongside providers).
What Is the Privacy Rule for HIPAA?
More specifically, HIPAA breaches fall under the Privacy rule, which is one of the three major rules of HIPAA compliance:
- The Privacy Rule. This rule establishes the basics for the privacy of electronic Personal Health Information (ePHI), including defining what ePHI actually is. This rule also defines to what extent patient information must remain private beyond security in terms of how it is transmitted and shared, and who is responsible for governing that privacy.
- The Security Rule. The Security Rule defines methods and measures for securing ePHI through storage, transmission, and access. This includes definitions for aspects of data security like HIPAA encryption, risk management, and reporting.
- The Breach Notification Rule. This aspect governs requirements for organizations when a security breach occurs. Includes guidelines for when, how, and how often to notify those affected by security breaches in healthcare systems.
The Privacy Rule is the cornerstone of the other rules because it literally defines what data is considered personal and protected. It sets the standards for protection, what is required by organizations handling healthcare ePHI, and when and how that ePHI can be disclosed, if ever.
When and How Should I Report a HIPAA Breach?
The HIPAA Breach Notification Rule defines a breach as an impermissible disclosure of ePHI. Any unauthorized or impermissible disclosure is considered a breach unless the organization affected can prove that unlawful access did not compromise confidential health data.
According to the rule, the affected organization must notify affected individuals of the data that has been compromised in writing or by email, and they must do it within 60 days of discovering the unlawful access. The letter should include the following information:
- A description of the HIPAA breach.
- The kinds of data being compromised.
- Mitigation efforts that are taken by the organization.
- The steps a patient should take to protect themselves or their data.
- Optional information for credit protection, including resources to check and monitor their credit or place a fraud notification on their credit report.
If the organization cannot reasonably contact 10 or more people affected (due to out-of-date information) then it must also place a notice on their website for at least 90 days after the discovery of the breach. If there are 10 or fewer individuals, then the affected organization can use telephone calls or other written notices.
If the HIPAA breach impacts more than 500 individuals, then the organization must further provide information to prominent media outlets within the state of jurisdiction.
Finally, all affected organizations must inform the Secretary of Health in writing or through an online form.
In most cases, a breach must be reported. The exception to this rule is if the affected organization can show that there is a low probability that hackers accessed or stored ePHI by performing a risk assessment based on the following factors:
- The types of ePHI affected.
- The type of breach and the credentials used to access it.
- The actual viewing (or not) of the data.
- The extent where the risk against the use or theft of the ePHI has been mitigated.
That is, if a healthcare organization can show that a data breach didn’t expose data due to lack of credentials or some combination of factors that would make it impossible to be stolen or viewed, then the organization can forego notifying affected parties. This can look like a few mistakes:
- An employee unintentionally accesses patient information accidentally as part of their job.
- Two authorized people expose data to each other in the same or different organization.
- The data compromised will, most likely, not be saved outside of secure systems.
What if I Accidentally Violate HIPAA?
Not all HIPAA security violations are due to willful neglect. With such complex requirements and potential attack vectors, it can be understandable if an organization accidentally misses HIPAA compliance requirements. Doctors, for example, may send messages to one another that contains ePHI to expedite emergency treatment. In these cases, secure systems can mitigate larger consequences of disclosure without compromising the ability of a healthcare worker to act quickly and decisively.
Predominantly, there are several ways to accidentally violate HIPAA:
- Intentional avoidance: As when a doctor shares information outside compliant channels to expedite emergency treatment.
- Accidental exposure: Disclosure made without intention to do so.
- Intentional disclosure: Either due to theft or hacking. Most often occurs due to an individual within the organization.
If you or your healthcare organization accidentally violate HIPAA, you should report it within 60 days of discovery of the violation. The earlier you send the notification the better, to avoid the fallout from lost data.
Following the accidental violation, complete any requirements for a HIPAA violation that your organization must comply with (reporting, notifications, etc.). It may be the case that, since data access was unintentional, in which case the actual compliance requirements might be relatively small.
If the accidental violation was any of the potential examples above (accessed in good faith internally, between two authorized people, or there is evidence the data will not be retained outside of the organization) then you may not have to worry too much about the violation.
Designating a violation as accidental has real meaning when it comes to fines. Penalties for violations can range from $100 to $50,000 per incident (per record compromised) depending on the kind of data, the source of the vulnerability, and whether or not it was accidental or due to willful negligence.
How Can I Mitigate the Impact of a HIPAA Breach?
If a breach happens, you don’t need to panic, but you do need to take steps to mitigate the damage from the breach as soon as possible.
- Perform a risk analysis. This analysis outlines the timeline of the breach, the cause, and the potential impact of the breach based on the information gathered. This is where you can determine where violations may have occurred and trace accountability through your organization. You’ll also want to determine the kind of data stolen and who has been affected.
- Handle any notification requirements your organization may have based on the HIPAA notification rule. You’ll also want to contact law enforcement plus any third-party security firms you have relationships with.
- Implement specific security measures to counteract the breach. If the breach was associated with a blatant disregard for compliance, then correcting the problem should be easy, if costly in terms of time, money, and reputation.
The best mitigation, overall, is predictive prevention. Having compliant and secure solutions for data storage, transmission, and HIPAA compliant email while working with an expert firm and/or platform provider can help head off potential problems before they become major breaches.
Work with Accellion to Stay HIPAA Compliant and Avoid Breaches
Take steps to secure patient data with the strongest encryption and security measures around. The best place to start is with your day-to-day storage and file transfer technology, and that’s where Accellion can help.
Secure Kiteworks systems can support rapid and secure data transfer and file sharing that maintains compliance without hampering efficiency. Secure endpoints and messaging makes it simple to share PHI between workers to maintain treatment even in emergency circumstances.
Furthermore, our extensive and comprehensive audit trail provides you with the documentation you need to track who accesses data, when, where and how through a comprehensive CISO dashboard.
Finally, threat analytics and our managed SIEM solutions, built into dedicated private cloud storage, ensures that you can monitor system events effectively and act on problematic activity.
With secure managed file transfer services and secure content firewall technology, you can rest assured that your file management is compliant with HIPAA rules.
Access our HIPAA Compliance Guide to learn how Accellion keeps you HIPAA compliant.
*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard – Accellion authored by Robert Dougherty. Read the original post at: https://www.accellion.com/hipaa-compliance/hipaa-breach/