Getty Images/Tetra images RF
HIPAA Data Breaches: What Covered Entities Must Know
Covered entities and their business associates need to understand the basics of how HIPAA data breaches are determined, and what they can do to keep information secure.
As more healthcare organizations implement new technologies, connect to health information exchanges, and adopt electronic health record technology, they are potentially exposing themselves to more online threats and potential HIPAA data breaches.
Patient information, in particular PHI, will continue to become more accessible to providers —but also more readily accessible to other unauthorized third parties and hackers.
How can covered entities and their business associates ensure that they remain current with the latest technological advances while maintaining PHI security? Can hospitals guarantee that they will never be breached? Are ransomware attacks also considered HIPAA violations?
By understanding the basics of what constitutes a HIPAA data breach, healthcare organizations will be better able to create comprehensive data security plans applicable to their own daily operations.
Dig Deeper:
- Maintaining HIPAA Compliance across Digital, Paper Records
- Build a Strong Security Baseline with the HIPAA Security Rule
What constitutes a PHI breach under HIPAA regulations?
Covered entities must conduct a risk assessment using the following four factors to determine that there is a low probability that PHI was compromised:
First, determine the nature and extent of PHI involved. This includes finding the types of identifiers and the likelihood of re-identification. Second, determine who the unauthorized individual was who used the PHI. Facilities need to determine who received or viewed the data, and whether they were authorized or not. Third, determine if the PHI was actually acquired or viewed. Fourth, determine the extent to which the risk to the PHI has been mitigated.
The Department of Health & Human Services (HHS) has also identified three exceptions to the breach definition.
First, if a “workforce member or person acting under the authority of a covered entity or business associate” unintentionally accesses or acquires PHI “in good faith and within the scope of authority,” then it is not considered a HIPAA breach.
“The second exception," the federal agency continues, "applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates."
Finally, if the covered entity or business associate “has a good faith belief” that the unauthorized party that received the PHI would not have been able to retain the data, it is not considered a HIPAA data breach.
A key aspect to the HIPAA Breach Notification Rule, though, is that the notification requirements apply to unsecured PHI or when PHI “has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
“Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations,” HHS explains. “Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information.”
Dig Deeper:
Are healthcare ransomware attacks HIPAA data breaches?
With more healthcare organizations falling victim to ransomware attacks, one question has emerged: Are healthcare ransomware attacks considered a HIPAA data breach?
The answer is not a straightforward one. It could be argued that if a computer network holding PHI was accessed and the data simply encrypted, it was not necessarily viewed or obtained by a third party. The PHI was simply made inaccessible, but it was not a certainty that the unauthorized third party actually did anything with the information.
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired...and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule.
However, HHS defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
The department's Office for Civil Rights (OCR) released ransomware guidance in July 2016 to help covered entities and business associates better understand how to keep PHI secure in such attacks. According to OCR, each situation must be treated individually, as it is a “fact-specific determination.”
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack," OCR stated, "a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule.”
Furthermore, healthcare organizations need to prove that there is a “low probability that the PHI has been compromised,” based on the Breach Notification Rule factors.
OCR added that each situation must be treated uniquely if the ePHI encrypted in a ransomware attack was already encrypted, aligning with HIPAA regulations.
“If the electronic PHI (ePHI) is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer ‘unsecured PHI,’ then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required,” it wrote.
Even so, the guidance maintains that even if data is encrypted, further analysis is likely warranted to determine that the PHI has in fact been rendered “unreadable, unusable, and indecipherable” to unauthorized individuals.
Dig Deeper:
What happens if OCR determines HIPAA violations occurred?
Healthcare organizations should also be aware of the potential consequences of HIPAA data breaches. If OCR determines that HIPAA violations did take place, then they will likely include heavy financial fines as part of the resulting settlement agreement with the involved covered entity or business associate.
Anything from a lack of a risk assessment to failing to adhere to certain aspects of the HIPAA Security Rule could be key determining factors for OCR in doling out punishment for a health data breach.
“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”
For example, the University of Mississippi Medical Center agreed to an OCR HIPAA settlement in July 2016. Following an investigation of a breach affecting 10,000 individuals, OCR determined that UMMC did not take adequate risk management security measures, even after UMMC was aware of certain risks and vulnerabilities to its system.
“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” OCR Director Jocelyn Samuels said. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”
Business associates are also not exempt from adhering to HIPAA regulations. Oregon Health and Science University (OHSU) signed an OCR resolution agreement following two health data breaches it suffered in 2013.
One of the two alleged incidents occurred when OHSU notified 3,044 patients that it had stored their data using a non-business associate, internet-based service provider Google.
The university had reportedly used Google Mail and Google Drive, which do not have security features in place. Google was also not an official business associate, so there was also no contractual agreement in place to use or store OHSU patient health information.
“We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information,” OHSU Chief Information Officer Bridget Barnes said in a statement.
Dig Deeper: