What is Considered a HIPAA Breach in 2019?
By Marty Puranik, co-founder, Atlantic.Net.
The Health Insurance Portability and Accountability Act (HIPAA), a bill passed initially in 1996, consists of a set of rules and regulations that protect the privacy and security of health information and provide individuals with certain rights to their health information.
Health and health-related entities play a pivotal role in protecting the privacy and security of sensitive data, so it is important that those entities are perfectly aware of what constitutes a breach under HIPAA terms, in addition to knowing what the actual regulations say and are all about. Check below some examples of HIPAA breaches.
Foreword: not all data breaches are HIPAA breaches
It is common for someone to think that, under HIPAA, any data breach constitutes an immediate breach of HIPAA regulations. However, this is not always the case, and the reason for that is quite simple.
Breaches are something relatively common and that happens in virtually all industries. Even tech giants fall victim to breaches caused by attacks so, even if a company holds strongly to each and every HIPAA regulation, it is impossible to guarantee 100% security, which is especially true considering how fast technology and hackers evolve.
Nathan Little, from Gillware Digital Forensics, has shared valuable knowledge about HIPAA breaches and why the data covered by HIPAA is so desirable for cybercriminals.
Unauthorized access to healthcare records
As one might expect, one of the most recorded types of data breaches has to do with one of HIPAA’s core goals, which is the protection of healthcare records. Usually committed by employees, this breach can often result in termination and even in criminal charges for the offender. While relatively uncommon, the entity can also be fined.
Lack of PHI access controls
Protected Health Information (PHI) is the name for any information about health status, provision of health care, or payment for health care that is created or collected by a health or health-related entity and is also a central point of HIPAA.
In fact, HIPAA clearly establishes, in its HIPAA Security Rules, that entities and their partners (i.e., other entities they communicate PHI and other sensitive data with) need to ensure that PHI can only be accessed by authorized individuals. This is a common breach and is often met with high financial fines.
Failure to encrypt (or similar protection) PHI
One of the most effective ways to ensure PHI privacy and safety is to use encryption on all stages of PHI usage, including offline storage, online storage, and data transmission over a network. Encryption is very safe – in fact, so safe that breaches of encrypted PHI do not have to be reported (unless the decryption key is also stolen or if the data is re-encrypted, a situation in which the responsible entity would also lose access to that data).
While HIPAA does not enforce the use of encryption, it is by far the best option to store and transmit PHI. If it is not used, an alternative kind of protection needs to be used – otherwise, PHI data breaches will surely happen.