By Marty Puranik,
Founder, President, CEO, Atlantic.Net
Especially given the Breach Notification Rule, the requirement to send out notifications to patients and other parties following compromise of your healthcare information defenses, it is important to think specifically about what a breach is and how likely ones of different types are to occur.
What is and is not a HIPAA breach?
Breach is defined in HIPAA section 164.402, as highlighted in healthcare compliance resource HIPAA Survival Guide:
The definition of breach from the code is “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.” In other words, it means that confidential health records are changing hands, per the requirements of Section E. Section E can be viewed in the Code of Federal Regulations Title 45 (Public Welfare), Chapter A (Department of Health and Human Services), Subchapter C, Part 164; see especially section 164.502, which covers required, permitted, prohibited and restricted forms of use and disclosure.
It is also important to understand the HHS’s exclusions – what is NOT a breach. You have not suffered a breach if the exposure of PHI was accidental and caused by an inappropriate action by a workforce member or individual carrying out tasks on behalf of the HIPAA-compliant company, as long as the compromise occurred within the proper authority, without ill intentions, and without expectation of repetition.
You also have not suffered a breach if it was an accidental disclosure by an individual who does have general authorization (and training) to access PHI at a HIPAA-compliant organization to an additional individual who is also generally authorized to access HIPAA information.
Nature of key recent healthcare breaches
Research from Beazley found that the primary reason breaches occurred in 2017 was unintended disclosure. Unintended disclosure includes an email that has confidential health data in it and is sent to the incorrect patient, or an incident in which a server is unintentionally configured as publicly accessible. Healthcare data breaches logged by Beazley in the first nine months of 2017 were as follows:
- unintended data disclosure – 41%
- malware and hacking – 19%
- malicious insider – 15%
- physical loss of a device or drive – 8%.
A recent study of five teaching hospitals audited recycling bins revealed the importance of guarding against paper PHI breaches as well. In the study, researchers found almost 3000 documents containing personally identifiable information (PII), nearly 2000 of which included personal health information. While that study is from Canada, it showcases the threat to healthcare institutions in the US as well.
Omnibus Final Rule and HIPAA breach responsibility
Another important note related to HIPAA breaches in 2018 is how compliance has been different since the HIPAA/HITECH Omnibus Final Rule went into effect on September 23, 2013. Previously, breaches were entirely the responsibility of HIPAA covered entities (healthcare providers, plans, and data clearinghouses). When the American Recovery and Reinvestment Act (ARRA) was passed in 2009, its Title XIII was the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH stated that business associates (service providers that handle PHI) would be assuming responsibility for information protection alongside healthcare organizations.
Preventing healthcare breaches in 2018
Preventing HIPAA breaches in a complex threat landscape requires more than routine risk assessments which are required. Also ensure the implementation of strong policies for the establishment of protections, training, business associate agreements (BAAs), and other elements of a HIPAA-compliant, security-centered ecosystem.