What is Considered a HIPAA Breach in 2019?
By Marty Puranik, co-founder, Atlantic.Net.
The Health Insurance Portability and Accountability Act (HIPAA), a bill passed initially in 1996, consists of a set of rules and regulations that protect the privacy and security of health information and provide individuals with certain rights to their health information.
Health and health-related entities play a pivotal role in protecting the privacy and security of sensitive data, so it is important that those entities are perfectly aware of what constitutes a breach under HIPAA terms, in addition to knowing what the actual regulations say and are all about. Check below some examples of HIPAA breaches.
Foreword: not all data breaches are HIPAA breaches
It is common for someone to think that, under HIPAA, any data breach constitutes an immediate breach of HIPAA regulations. However, this is not always the case, and the reason for that is quite simple.
Breaches are something relatively common and that happens in virtually all industries. Even tech giants fall victim to breaches caused by attacks so, even if a company holds strongly to each and every HIPAA regulation, it is impossible to guarantee 100% security, which is especially true considering how fast technology and hackers evolve.
Nathan Little, from Gillware Digital Forensics, has shared valuable knowledge about HIPAA breaches and why the data covered by HIPAA is so desirable for cybercriminals.
Unauthorized access to healthcare records
As one might expect, one of the most recorded types of data breaches has to do with one of HIPAA’s core goals, which is the protection of healthcare records. Usually committed by employees, this breach can often result in termination and even in criminal charges for the offender. While relatively uncommon, the entity can also be fined.
Lack of PHI access controls
Protected Health Information (PHI) is the name for any information about health status, provision of health care, or payment for health care that is created or collected by a health or health-related entity and is also a central point of HIPAA.
In fact, HIPAA clearly establishes, in its HIPAA Security Rules, that entities and their partners (i.e., other entities they communicate PHI and other sensitive data with) need to ensure that PHI can only be accessed by authorized individuals. This is a common breach and is often met with high financial fines.
Failure to encrypt (or similar protection) PHI
One of the most effective ways to ensure PHI privacy and safety is to use encryption on all stages of PHI usage, including offline storage, online storage, and data transmission over a network. Encryption is very safe – in fact, so safe that breaches of encrypted PHI do not have to be reported (unless the decryption key is also stolen or if the data is re-encrypted, a situation in which the responsible entity would also lose access to that data).
While HIPAA does not enforce the use of encryption, it is by far the best option to store and transmit PHI. If it is not used, an alternative kind of protection needs to be used – otherwise, PHI data breaches will surely happen.
Wrong disposal of PHI
When PHI is no longer required and retention periods are over, they need to be removed and destroyed in a safe and definitive way, which can involve shredding or pulping for paper PHI, or degaussing, wiping and/or the destruction of the devices, in the case of electronic PHI.
A study published last year by JAMA shows that Canadian hospitals sometimes dispose of PHI in an unsafe manner and, while these hospitals are obviously not under the regulations of HIPAA, the analysis of this study is useful to understand where potential problems may arise in this particular area of HIPAA rules.
For example, the study highlights situations in which even hospitals that implemented PHI disposal procedures were often doing this disposal in an incorrect and unsafe manner.
Failure to properly dispose of PHI is a very serious HIPAA data breach, often met with large fines reaching six figures. To avoid these breaches, HIPAA covered entities should review their policies, procedures, striving to enforce proper PHI disposal mechanisms.
Lack of automatic locking for unattended devices
In our digital world, most PHI is electronic and is handled on devices like computers, tablets or smartphones. Under HIPAA, PHI (regardless of its format) should be secured at any time, which leaves unattended devices at high risk and as a dangerous source of HIPAA data breaches.
Knowing this, companies should try to make sure this does not happen, for example by making sure all devices are covered with an auto-lock system that makes them inaccessible for unauthorized personnel. If we are talking about paper PHI, then a similar concept needs to be applied to the place(s) where PHI is stored.
Release of unauthorized personal information
Another common HIPAA data breach has to do with the fact that, under HIPAA, in order to release patient information to third parties there needs to be specific authorization. However, even if there is such an authorization, employees need to make sure they understand exactly which data is covered by the authorization, risking the disclosure of unauthorized patient information.
Lack of “right to revoke” clause
It is known that healthcare entities cannot disclose PHI without express consent from the patients. This authorization is provided through a form signed by the patient – this form contains, among other information, who and how will receive the information, the expiration of that authorization, and other items (all of which are mandatory, and the absence of one of them is enough to invalidate the authorization).
Something that healthcare providers often leave out is the “right to revoke” clause, which allows the patients to, at any time, revoke the authorization they provided, and explains how to do so.
Usually, revocations have to be submitted in writing and become effective as soon as the covered entity receives them. Such refusals need to be registered by the company so that they can be audited as well.