What qualifies as a HIPAA Breach?

If you listen to the news, you can't avoid hearing about security hacks and stolen data. If you are affected by HIPAA, you probably also know that a data breach under this law can have serious consequences. If you possess protected health information and that data is breached, you could face penalties. However, what exactly comprises a”breach” under the law? A breach is the unauthorized access by employees or a third party to PHI/ePHI or the disclosure of the data to unauthorized parties. As the Department of Health and Human Services, who administers the Act defines it, “A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information [generally breaches aren't considered to have occurred if it can be demonstrated] that there is a low probability that the protected health information has been compromised.” **

Whether you are a Covered Entity or a business associate, you are required to provide notification if a breach occurs while you are “in possession” of the PHI/ePHI. Anything that is not permitted under the Privacy Rule is considered a breach.

Examples of breaches that are common are ransomware attacks, successful hacks into the data, and cyber attacks. Another common cause of a violation of the Privacy Rule is when a laptop or the phone of a subcontractor that contains unencrypted PHI/ePHI is lost or stolen. If you follow the news, you are probably aware that these situations are all too common. It is important to note here that if data has been encrypted such that it is rendered useless, the above situations would most likely not be a breach of PHI/ePHI, so be sure all of your data is encrypted.

Please download our e-guide, “HIPAA basics: your breach notification obligations”, to learn more.

Who is regulated by HIPAA (who will need to worry about notification?)

There are two groups who are covered by these HIPAA rules. The most obvious are healthcare providers, medical offices, insurance companies, pharmacies, nursing homes and other similar organizations. These groups directly handle protected patient data and are called “Covered Entities.” There is another set of entities who, one might say, have a secondary role in handling protected health information. These entities are known under the law as “Business Associates.” A Business Associate is an entity that, in the role of a provider of a service or product to a covered entity, has access to, or come in contact with, protected health data. It is not always immediately obvious that an entity is a Business Associate (BA). For example, a BA might be an IT contractor, an accountant, a billing firm, a managed service provider, or a data storage center. Even cloud service providers are covered. Fundamentally, any entity that comes in contact with the data is regulated by HIPAA. Even if they only touch the data in the aggregate and never deal with data at the individual patient level, or if they handle the data in a purely pass-through sense, they are covered by HIPAA and are required to adhere to HIPAA notification rules if a breach occurs on their watch.

If you are affected by HIPAA data laws it is important that you get good advice to be certain you are in compliance. It is also important your disaster recovery plans include the steps you would take to meet legal requirements if a breach were to occur.

Please download our e-guide, “HIPAA basics: your breach notification obligations”, to learn more.