What Is a HIPAA Breach and What Should You Do if You Have One?
Your organization has had a HIPAA breach—now what do you do? Who do you notify, and what must you tell them? Are you subject to penalties?
We’ll explain that and much more below.
What Is a HIPAA Breach?
A HIPAA breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This means if someone else accesses the patient data unlawfully– even accidentally–that’s a breach.
In terms of protections, healthcare data has some of the most restrictive and stringent security requirements in the U.S. There is a good reason for this: medical data is typically seen as completely private to the person involved in a way such that it should never be shared outside of the relationship between a patient and their doctor, healthcare provider or insurance payor.
With healthcare organizations primarily utilizing electronic methods to store and transmit patient records, HIPAA has set up several layers of regulations and controls around digital media, including networked transmission, database storage, and mobile computers like tablets and laptops. If medical data is compromised, accessed, or stolen in any way for any length of time in any of these locations, it will be termed a HIPAA breach that will call for specific responses and reporting.
In 2013, the HIPAA Omnibus Rule modified what “breach” means in legal terms and extended legal liability for those breaches to “business associates” (third-party contractors and companies working in the healthcare industry alongside providers).
What Is the Difference Between a HIPAA Violation and a HIPAA Breach?
A HIPAA violation is an impermissible use or disclosure of protected health information (PHI) that is less severe than a breach. A HIPAA violation may or may not lead to a financial penalty or other sanctions, while a breach is a serious violation of HIPAA rules that can lead to sanctions, fines, and other corrective action. A HIPAA violation may involve the inappropriate use or disclosure of PHI within an organization, such as an employee disclosing a patient’s PHI or other related information without authorization.
A HIPAA breach, by contrast, typically involves the unauthorized disclosure of PHI to an unauthorized individual or entity, or the access by an unauthorized individual or entity to PHI. A breach can also include the loss of unsecured PHI, such as in the case of unauthorized physical or electronic access.
Is a Ransomware Attack Considered a Breach of HIPAA?
Yes, a ransomware attack is considered a breach of HIPAA and will trigger HIPAA’s notification requirements. HIPAA requires covered entities and their business associates to notify individuals and the Department of Health and Human Services (HHS) of any breaches of unsecured protected health information (PHI).
Why Are There So Many More Data Breaches in the Healthcare Sector Than in Other Sectors?
There are several factors that contribute to the high number of data breaches in the healthcare sector. One of the main reasons is that healthcare organizations tend to store more sensitive personal data—such as medical records, insurance information, and payment information—than other industries. This data is highly lucrative on the dark web, as it can be used to commit identity theft and insurance fraud.
Second, this sensitive PHI is stored on multiple systems, not just computers and servers but on an overwhelming number of different medical devices and hand-held devices. These devices are engineered for functionality first and foremost; device security is seldom, if ever, a priority. These devices are also easy to misplace and even easier to exploit. Medical device security, in fact, is a serious risk management issue.
What Is the Privacy Rule for HIPAA?
More specifically, HIPAA breaches fall under the Privacy rule, which is one of the three major rules of HIPAA compliance:
- The Privacy Rule. This rule establishes the basics for the privacy of electronic Personal Health Information (ePHI), including defining what ePHI actually is. This rule also defines to what extent patient information must remain private beyond security in terms of how it is transmitted and shared, and who is responsible for governing that privacy.
- The Security Rule. The Security Rule defines methods and measures for securing ePHI through storage, transmission, and access. This includes definitions for aspects of data security like HIPAA encryption, risk management, and reporting.
- The Breach Notification Rule. This aspect governs requirements for organizations when a security breach occurs. Includes guidelines for when, how, and how often to notify those affected by security breaches in healthcare systems.
The Privacy Rule is the cornerstone of the other rules because it literally defines what data is considered personal and protected. It sets the standards for protection, what is required by organizations handling healthcare ePHI, and when and how that ePHI can be disclosed, if ever.
Summary of the HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule focuses on safeguarding patients’ PHI. This rule establishes the requirements and procedures covered entities and their business associates must follow in the event of unauthorized access to PHI. The Breach Notification Rule aims to ensure timely notification of affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media. Ultimately, the HIPAA Breach Notification Rule is designed to mitigate the potential harm of a breach and prevent future breaches.
Per the Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay but no later than 60 days following the discovery of a breach. The notification should include a description of the breach, the types of PHI involved, the steps individuals should take to protect themselves, and the actions the organization is undertaking to mitigate the impact and prevent future occurrences. If the breach affects 500 or more individuals, the covered entity must notify the HHS simultaneously and sometimes alert the media. For breaches involving fewer than 500 individuals, the covered entity must maintain a log and submit it to the HHS annually.
Adherence to the HIPAA Breach Notification Rule ensures transparency, timely response, and remediation efforts, helping to restore trust between patients and healthcare providers while maintaining the integrity and confidentiality of sensitive health information.
When and How Should You Report a HIPAA Breach?
The HIPAA Breach Notification Rule defines a breach as an impermissible disclosure of ePHI. Any unauthorized or impermissible disclosure is considered a breach unless the organization affected can prove that unlawful access did not compromise confidential health data.
According to the rule, the affected organization must notify affected individuals of the data that has been compromised in writing or by email, and they must do it within 60 days of discovering the unlawful access. The letter should include the following information:
- A description of the HIPAA breach.
- The kinds of data being compromised.
- Mitigation efforts that are taken by the organization.
- The steps a patient should take to protect themselves or their data.
- Optional information for credit protection, including resources to check and monitor their credit or place a fraud notification on their credit report.
If the organization cannot reasonably contact 10 or more people affected (due to out-of-date information) then it must also place a notice on their website for at least 90 days after the discovery of the breach. If there are 10 or fewer individuals, then the affected organization can use telephone calls or other written notices.
If the HIPAA breach impacts more than 500 individuals, then the organization must further provide information to prominent media outlets within the state of jurisdiction.
Finally, all affected organizations must inform the Secretary of Health in writing or through an online form.
In most cases, a breach must be reported. The exception to this rule is if the affected organization can show that there is a low probability that hackers accessed or stored ePHI by performing a risk assessment based on the following factors:
- The types of ePHI affected.
- The type of breach and the credentials used to access it.
- The actual viewing (or not) of the data.
- The extent where the risk against the use or theft of the ePHI has been mitigated.
That is, if a healthcare organization can show that a data breach didn’t expose data due to lack of credentials or some combination of factors that would make it impossible to be stolen or viewed, then the organization can forego notifying affected parties. This can look like a few mistakes:
- An employee unintentionally accesses patient information accidentally as part of their job.
- Two authorized people expose data to each other in the same or different organization.
- The data compromised will, most likely, not be saved outside of secure systems.
What Happens After You Have Made a HIPAA Data Breach Notification to HHS?
Once a covered entity or a business associate has notified HHS of a data breach, several steps are taken to ensure that the breach is adequately addressed and that all necessary actions are implemented to prevent future occurrences. It is crucial for organizations to understand the process following a breach notification. The process includes preparing for potential investigations, remediation efforts, and penalties.
Upon receiving the breach notification, the HHS Office of Civil Rights (OCR) reviews the submitted information and may initiate an investigation to assess the circumstances surrounding the breach. The primary goal of the investigation is to determine whether there have been violations of the HIPAA Privacy, Security, or Breach Notification Rules. The OCR may request additional information or documentation from the covered entity or business associate and conduct site visits if necessary.
If the OCR identifies a HIPAA violation, the covered entity or business associate may face penalties, including financial fines, corrective action plans, and in some cases, a resolution agreement. The severity of the penalties depends on factors such as the extent of the breach, the level of negligence, and the organization’s history of compliance. The organization must cooperate fully with the OCR during the investigation and demonstrate efforts to remediate any identified issues.
During this time, the organization should also focus on strengthening its privacy and security practices, addressing vulnerabilities, and implementing corrective measures to prevent future breaches. By improving their HIPAA compliance, organizations can minimize potential penalties and better protect their patients’ health information.
Where Should You Report HIPAA Violations if You Are the Victim of a Data Breach?
Suppose you suspect you are a victim of a data breach involving your PHI and believe there has been a HIPAA violation. In that case, taking action and reporting the incident is essential. Reporting HIPAA violations helps ensure that the responsible parties are held accountable and that measures are taken to prevent similar breaches in the future.
The first step in reporting a HIPAA violation is to contact the covered entity, such as the healthcare provider or insurance company, responsible for maintaining your PHI. Inform them about the suspected breach and request an investigation into the matter. They are obligated to investigate, take corrective action, and notify affected individuals per the HIPAA Breach Notification Rule.
If you are dissatisfied with the covered entity’s response or believe they are not taking appropriate action, you can file a complaint with the HHS OCR.
As a reminder, the OCR is responsible for enforcing HIPAA regulations and investigating potential violations. You can submit a complaint online through the OCR’s website or by mail, fax, or email. It is essential to file the complaint within 180 days of when you first became aware of the potential violation, although the OCR may grant an extension under certain circumstances.
By reporting HIPAA violations, you play a crucial role in maintaining the privacy and security of your PHI and that of other patients, ensuring healthcare organizations uphold their responsibilities under HIPAA.
What if You Accidentally Violate HIPAA?
Not all HIPAA security violations are due to willful neglect. With such complex requirements and potential attack vectors, it can be understandable if an organization accidentally misses HIPAA compliance requirements. Doctors, for example, may send messages to one another that contains ePHI to expedite emergency treatment. In these cases, secure systems can mitigate larger consequences of disclosure without compromising the ability of a healthcare worker to act quickly and decisively.
Predominantly, there are several ways to accidentally violate HIPAA:
- Intentional avoidance: As when a doctor shares information outside compliant channels to expedite emergency treatment.
- Accidental exposure: Disclosure made without intention to do so.
- Intentional disclosure: Either due to theft or hacking. Most often occurs due to an individual within the organization.
If you or your healthcare organization accidentally violate HIPAA, you should report it within 60 days of discovery of the violation. The earlier you send the notification the better, to avoid the fallout from lost data.
Following the accidental violation, complete any requirements for a HIPAA violation that your organization must comply with (reporting, notifications, etc.). It may be the case that, since data access was unintentional, in which case the actual compliance requirements might be relatively small.
If the accidental violation was any of the potential examples above (accessed in good faith internally, between two authorized people, or there is evidence the data will not be retained outside of the organization) then you may not have to worry too much about the violation.
Designating a violation as accidental has real meaning when it comes to fines. Penalties for violations can range from $100 to $50,000 per incident (per record compromised) depending on the kind of data, the source of the vulnerability, and whether or not it was accidental or due to willful negligence.
Why Staff Must Be Trained on Reporting HIPAA Breaches
Proper staff training on reporting HIPAA breaches is critical to maintaining the privacy and security of patients’ PHI. There are several reasons why.
First and foremost, staff training helps create a culture of compliance and awareness within the organization. By educating employees on the importance of HIPAA regulations and their role in safeguarding PHI and patient privacy, they become more vigilant and proactive in identifying and addressing potential risks. This heightened awareness can lead to the prevention of breaches and a more robust security posture overall.
Second, a well-trained staff can quickly detect and report breaches, ensuring that the organization can immediately mitigate the impact. Prompt reporting and response are crucial for limiting the potential harm to affected individuals and minimizing the organization’s exposure to fines and penalties associated with the HIPAA Breach Notification Rule.
Additionally, staff training on reporting HIPAA breaches is crucial for maintaining organizational transparency and accountability. Employees should feel confident reporting breaches or potential violations without fear of retaliation, creating an environment where privacy and security are prioritized and actively supported.
Finally, providing staff with the necessary knowledge and tools to report HIPAA breaches ensures that the organization complies with HIPAA. Regular training updates and refreshers help staff stay informed about new threats and evolving best practices, further reinforcing the organization’s commitment to maintaining the privacy and security of PHI.
How Can You Mitigate the Impact of a HIPAA Breach?
If a breach happens, you don’t need to panic, but you do need to take steps to mitigate the damage from the breach as soon as possible.
- Perform a risk analysis. This analysis outlines the timeline of the breach, the cause, and the potential impact of the breach based on the information gathered. This is where you can determine where violations may have occurred and trace accountability through your organization. You’ll also want to determine the kind of data stolen and who has been affected.
- Handle any notification requirements your organization may have based on the HIPAA notification rule. You’ll also want to contact law enforcement plus any third-party security firms you have relationships with.
- Implement specific security measures to counteract the breach. If the breach was associated with a blatant disregard for compliance, then correcting the problem should be easy, if costly in terms of time, money, and reputation.
The best mitigation, overall, is predictive prevention. Having compliant and secure solutions for data storage, transmission, and HIPAA-compliant email while working with an expert firm and/or platform provider can help head off potential problems before they become major breaches.
Data Breaches by Business Associates
Business associates are third-party organizations that handle, store, or process protected health information on behalf of covered entities, such as healthcare providers and insurance companies. Like covered entities, business associates must comply with privacy and security regulations to safeguard the PHI they manage. Unfortunately, data breaches can still occur, and understanding the common causes and consequences of these breaches is essential for both business associates and covered entities.
Data breaches involving business associates can result from various factors, such as human error, inadequate security measures, or targeted cyberattacks. These breaches can lead to the unauthorized disclosure, alteration, or destruction of PHI, putting patients at risk of identity theft, financial fraud, and loss of privacy. Common causes include phishing campaigns, weak password policies, unauthorized access, improper disposal of PHI, and lost or stolen devices containing sensitive information.
When a data breach involving a business associate occurs, the business associate and the covered entity must take immediate action to assess the scope of the breach, identify the affected individuals, and mitigate potential harm. In line with the HIPAA Breach Notification Rule, they must notify affected individuals, the HHS OCR, and in some cases, the media about the breach. Failure to do so can result in significant financial penalties, damage to reputation, and loss of trust among patients and partners.
Business associates should implement robust security policies to prevent data breaches, conduct regular risk assessments, provide team member training, and maintain incident response plans. By proactively addressing potential vulnerabilities and complying with HIPAA regulations, business associates can better protect the PHI they handle and minimize the risk of costly breaches.
Stay HIPAA Compliant and Avoid Breaches With Kiteworks
Kiteworks provides covered entities and their business associates a secure and compliant file sharing and file transfer solution for email, file sharing, MFT, and SFTP. With granular access controls and best-in-class encryption, Kiteworks ensures that only authorized users have access to protected health information, and this and other sensitive information stays private in transit and at rest. Kiteworks seamlessly integrates with a range of enterprise applications and security infrastructure, making it an invaluable asset for organizations that must govern, protect, and control their sensitive content in compliance with HIPAA and other data privacy regulations and standards.
Additionally, Kiteworks provides unparalleled visibility into all file activity—namely who sent what file to whom, when, and how—empowering businesses to maintain full control over their documents and enhance their overall security posture. With Kiteworks, healthcare organizations can confidently navigate a digital landscape fraught with risk and threats, knowing their PHI and other sensitive content is sent, shared, received, and stored securely.
To learn how Kiteworks can help you achieve HIPAA compliance, schedule a custom demo today.
Additional Resources
- Blog Post What Are HIPAA Compliance Requirements? [Complete Checklist]
- Blog Post What Is the HIPAA Minimum Necessary Rule?
- Blog Post Top HIPAA-compliant Forms
- Blog Post HIPAA Encryption: Requirements, Best Practices & Software
- Blog Post Send HIPAA-compliant Email