The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, created national standards that protect private health information from disclosure without a patient’s consent or knowledge. Healthcare organizations and business associates with whom they share protected health information (private health information) are subject to HIPAA laws and are called covered entities.
When patients visit a healthcare provider, they do not expect people without a need to know to gain access to their private health information. However, this can happen when a health care organization experiences a HIPAA breach. It is not reassuring to learn that an organization charged with protecting private health information failed to keep that information safe.
When a HIPAA breach compromises a patient’s private health information, there will be looming concerns about how other people might use it. If you work for an organization that stores client or patient information on computers, in the cloud, or on desks, it is essential to know how easily a HIPAA breach can happen. This HIPAA breach overview will offer insight into HIPAA breaches and why it is crucial to protect private health information.
What Is a HIPAA Breach?
A HIPAA breach occurs when data subject to the Privacy Rule is used or disclosed without a patient’s knowledge or permission. If the entity or associate responsible for the data or information can prove there is a low probability that the protected health information is compromised, the incident is not considered a HIPAA breach. The following conditions determine if there is a HIPAA breach risk:
(1) The type of protected health information disclosed or used, including identifying data and the likelihood of re-identification. (2) The unauthorized individual who saw or used the protected health information. (3) Whether an unauthorized person could obtain or view the data and (4) Whether the covered entity sufficiently mitigated the risk.
Three Exceptions to HIPAA Breach
The three exceptions to HIPAA breach cover circumstances where disclosure or use of protected health information is unintentional. One example is when information access or use is within the work scope and in good faith. If a medical assistant picks up the wrong chart and opens it, revealing a patient’s information, and the reason for opening the chart was not to pry, that would be an unintentional breach.
Another instance of unintentional disclosure or use is if the entity authorized to access and use protected health information disclosed it to an associate or entity not authorized to use it. An example of this type of disclosure is a specialist emailing the wrong patient information to a doctor in the same practice. Both parties are permitted to have access to the information. The specialist recognizes that the email contained the wrong information, deletes the email, and informs the colleague. The information was not further shared or used.
The last exception is if the covered entity has disclosed protected information to a party that would not have been able to retain it. For example, a patient enters a medical practice, and the receptionist gives the patient a form that contains another patient’s name and personal information. The patient receiving the form notices the mistake immediately, informs the receptionist, and returns the paper. The receptionist can decide whether the patient could have retained any personal information during the brief encounter with the form.
Notification of HIPAA Breach
When a HIPAA breach occurs, breach reporting is required. A covered entity must notify the affected persons, the Secretary of Health and Human Services, and, where appropriate, the media. If the breach occurs through a business associate’s actions, such as through a lab, insurance company, or third-party billing agency, the associate must notify the covered entities. HIPAA breach reporting is necessary to protect the public. When an affected party reports a HIPAA breach to the Department of Health and Human Services Office of Civil Rights, the agency will review the complaint to determine if a covered entity is responsible for the breach and if there should be a HIPAA breach investigation. The OCR will investigate if the complaint is against a covered entity.
Case Studies Demonstrating Examples of Violations
An individual who filed a complaint was an employee and a patient at a hospital. She reported that someone disclosed her protected information to her supervisor without her permission. The hospital’s operating room distributed a surgery schedule, and it contained information about the employee’s surgery, which someone shared with her supervisor. Her supervisor did not need to know the information. The operating room staff should not have distributed the schedule to individuals without a need to know. As a result of this incident, the hospital disciplined the employee who distributed the impermissible information. The hospital also revised the operating room’s schedule distribution to only those who have “a need to know.”
In another incident, an employee of a private medical practice discussed HIV testing procedures with a patient in a waiting room, disclosing private health information in the presence of other patients. The same practice had computer screens positioned where other patients could see personal health information. The medical practice should have had a policy requiring that staff discuss private health information privately, away from other patients. The office should have protected computer screens so patients could not see them. The U.S. Department of Health and Human Services Office of Civil Rights required the practice to implement policies and procedures to prevent private health information disclosure. The medical practice retrained staff and put physical safeguards in place to avoid impermissible disclosures.
Healthcare Data Breach Statistics
Statistics evidence the frequency of healthcare data breaches. For example, according to the HIPAA Journal, in 2020, the number of healthcare data breaches increased by 25 percent. More than 20 million medical record breaches occurred. Among the breaches were 642 reported data breaches of 500 or more records, including a breach of 10 million records. Hacking was the main reason for healthcare data breaches. Network servers where patient information is stored are vulnerable to breaches and common targets for hackers and ransomware criminals.
Protect Your Organization from HIPAA Breaches
We can assist you in determining your vulnerability to HIPAA breaches. By assessing your administrative and communication practices, we can help you discover areas where there could be weaknesses that might result in HIPAA breaches. Contact us today, and we will get started.