How To Respond To A HIPAA Breach
By Richard Bailey, lead IT consultant, Atlantic.Net.
The Health Insurance Portability and Accountability Act of 1996 is a day-to-day concern for medical professionals and healthcare management teams in the United States. HIPAA, and the subsequent Privacy and Security amendments of 2003, were created to protect the confidentiality of Protected Health Information (PHI).
The Breach Notification Rule was added in 2009 to include specific laws about how to respond to a breach, and the Final Omnibus Rule was added in 2013 to harden the enforcement rules and response requirements.
A HIPAA breach is a serious concern, it can be very costly, instantly creating financial and reputational damage. A breach must be responded to appropriately by the HIPAA-covered entities and any impacted Business Associates.
The threat landscape has definitely changed in 2020/2021, COVID-19 has changed the way front-line healthcare is delivered, and it has also put great pressure on upholding the data integrity of PHI, despite some concessions being offered by the Office for Civil Rights (OCR) during the pandemic.
Between March 2020 and March 2021, there have been 530 reported data breaches to the OCR, this includes both confirmed data breaches, and breaches that are currently under investigation. These figures suggest that 26,023,940 patient records have been exposed in data breaches in one single year, quite a staggering figure.
What is a HIPAA data breach?
There are two types of breaches classified by the U.S Department of Health and Human Services (HHS). A breach that does not disclose PHI is considered “not a breach.” A breach that does disclose PHI must be classified as either an intentional or unintentional disclosure. Deliberate disclosure is considered a very serious breach and typically involves significant penalties.
The primary cause of breaches is usually a lost or stolen computing device, such as laptops, cell phones, and tablets. Many losses are attributed to employee carelessness or employee mistakes or unintentional actions. The other major cause is third-party involvement, this could be hackers, malicious actors, and so on.