What is Considered a HIPAA Breach

What is Considered a HIPAA Breach

by Yenny (SU)

In order to prevent irreparable financial and reputational harm to your company, it’s worth having a healthy discussion with your employees about what is considered a breach of HIPAA. According to the U.S. Department of Health & Human Services (HHS), a breach of Protected Health Information (PHI) is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. In order to understand Health Insurance Portability and Accountability Act (HIPAA), you must comprehend the Privacy, Security, and Breach Notification Rules.

The Privacy rule (a federal law) sets the standards for when PHI can be used or disclosed electronically, written, or orally.1 When you’ve gone to a routine doctor’s visit, you may have noticed on one of the required forms requests for permission to disseminate information about your health or prescriptions to someone other than you. For example, should you be unable to pick-up your prescription, or answer a call regarding your condition – would you be okay with your husband or mother receiving that feedback instead? These guidelines are put into place to prevent sensitive information from getting into the wrong hands. There is a wide range of organizations that must comply with this Privacy Rule, from your Primary Care Physician and health insurance company which have direct access – to business associates that require limited access to PHI to do their jobs (think: accountants or IT specialists).2 

In order to comply with the HIPAA Security Rule, an organization must follow required safeguards to ensure that they protect electronic health information in their organization’s IT systems.   

Electronic PHI is considered vulnerable to breaches if it has not been made unworkable, unreadable, or indecipherable to unauthorized prying eyes or ears. But, what does this really mean for businesses? HHS has put in place guidelines as to how to destroy (paper files) or encrypt (electronic information). Encryption – the extensive, algorhythmic process that goes beyond mere passwords, is not mandatory; however, that determination is made by conducting a HIPAA Security Risk Assessment.

Should your employee loose a laptop or device with valuable (and unencrypted) information, or open an email from a work computer which led to a malware or ransomware attack – this mistake is considered a HIPAA breach.3 Just take the University of Massachusetts Amherst (UMass) that agreed to settle potential HIPAA violations because a workstation was infected with malware that resulting in the impermissible disclosure of electronic protected health information (ePHI).  UMass settled with HHS with a monetary payment of $650,000. 

When it comes to minimizing the negative effects of a breach, time is of the essence. Not meeting the required notification timeline for reporting a HIPAA breach can result in HHS opening an investigation. For breaches exposing any PHI of more than 500 patients, HHS requires a breach notification be made without unreasonable delay and in no case later than 60 days following a breach. 

Providing your employees with adequate information about how HIPAA breaches are caused and providing best practices to prevent them from occurring is critical. Colington Consulting is an industry leader in HIPAA compliance requirements.  From HIPAA Security Awareness Trainings to implementing required policies and procedures, their experts are well experienced in regulatory compliance. To help your organization to prevent HIPAA data breaches from occurring, schedule a free, initial consultation. For more information or schedule your consultation, call 800-733-6379.