What happens in a HIPAA breach?

Even if you’re HIPAA compliant, you’re not immune to data breaches. In today’s increasingly digital environment, data breaches are a common and unfortunate occurrence. The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), understands this. If you have a breach, it doesn’t necessarily mean it was a result of a HIPAA violation.

However, under HIPAA, there are specific steps you need to take to mitigate any risk to the HIPAA protected health information that you hold and process in anticipation of a breach. And if you do experience a breach, there are specific protocols you should follow depending upon the severity of the breach. The best defense for a data breach is preparation.

What is a data breach according to HIPAA?

According to HIPAA, a breach occurs when protected electronic Personal Health Information (ePHI) is used or disclosed in any way that compromises its security or privacy in violation of the Privacy Rule. For a leak of information to be considered a breach under HIPAA, the information exposed must be unsecured. Unsecured ePHI is ePHI that hasn’t been “rendered unusable, unreadable, or indecipherable to unauthorized persons” by encryption or destruction of the data.

How can you avoid HIPAA violations in the event of a breach?

You can avoid HIPAA violations if you’ve made a thorough and continuous effort to stay in compliance before any breach occurs. This means you do periodic risk assessments and have made sure that all ePHI – whether at rest or in transit – is encrypted to NIST standards so that the data is unreadable, undecipherable, and unusable by unauthorized parties if there is a breach.

Many data breaches go unnoticed because companies fail to conduct regular risk assessments and don’t catch them, which increases their chances of being charged with a violation of negligence.

Companies must train all staff and have written protocols in place for personnel to follow in the event of an emergency, security, or data breach.

If there is a breach, but the ePHI is secured because it is encrypted to the extent that it is unreadable, undecipherable, and unusable by any unauthorized parties, you may not be subject to the Breach Notification Rules. However, you should still do a risk assessment. It will be up to you to recognize the severity of a breach to be able to take the correct action under HIPAA and to prove to the HHS that you did.

The burden of proof is on you

If you have a breach, you’ll have to be able to prove to the HHS either that the ePHI was unusable and did not constitute a breach, or that you’ve responded appropriately by sending out all of the breach notifications required under HIPAA.

The HHS strongly urges covered entities (you) to perform a risk assessment if you suspect a breach. The goal of the risk assessment is to discover the following:

  • If unsecured ePHI was improperly viewed or obtained.
  • The type and amount of the ePHI as well as the likelihood of personal identifiers, what kind they are (name, medical numbers, etc.)
  • The possibility of any data that has been de-identified by encryption (no longer able to identify an individual) of becoming re-identified by an unauthorized party.
  • The identity of the illegal party who is responsible for the breach or who received the data (if possible).
  • The extent to which you were able to mitigate any damage caused by the breach.

If the HHS does an audit and finds that there may have been some impermissible use or disclosure of ePHI that you didn’t report, they’re going to ask you why.

Your risk assessment is your only defense against appearing culpable. It’s also how you might find out whether your situation falls under one of the three exceptions to a breach of ePHI. These are situations where you might not be found liable for a violation:

  1. Unintentional access, acquisition, or use of ePHI by an authorized employee while doing his or her job.
  2. Accidental disclosure of ePHI by one authorized person to another authorized person.
  3. Disclosure of ePHI by an authorized person who believed that the unauthorized person who received the ePHI wouldn’t be able to view, use, or retain it.

How do you perform a HIPAA Risk Assessment?

A risk assessment can help you identify risks and vulnerabilities so that you can develop and implement administrative safeguards and protections that keep ePHI secure under the HIPAA Security Rule. The US Department of Health & Human Services (HHS), offers guidance on risk assessments on its website as well as a Security Risk Assessment (SRA) Tool that helps walk you through the risk assessment process. HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, redesign programs, or experience a security incident like a data breach.

What is the HIPAA Breach Notification Rule?

If you have a breach, but your risk assessment has determined that ePHI is secured (encrypted), you might not be subject to the Breach Notification Rule. But if there is any chance that unsecured ePHI was improperly used or disclosed, you have to follow specific notification rules to stay in compliance.

Victim notification letter:

You must notify each person whose ePHI is suspected of having been accessed, acquired, used, or disclosed within 60 days from the day of discovery of a data breach (unless law enforcement needs a delay of notification to investigate criminal activity.) The breach notification letter for affected individuals can be created on the HHS website once you have the details of the breach. The letter must include the following information:

What happened and the date it happened — Breaches are considered “discovered” the same day that the breach is known or should’ve been known if you were exercising diligence under HIPAA.

  • A description of the PHI involved in the breach
  • Steps affected individuals can take to protect themselves further
  • A description of what the covered entity is doing to mitigate the breach
  • Contact information for affected individuals to find out more information

Notification to HHS Secretary:

You must notify the Health and Human Services Secretary of any breach. Companies can report a breach on the OCR Website.

  • If a breach affects more than 500 victims, you must report the breach to HHS and the media. OCR will display details about the breach on its website (known in the industry as “the wall of shame.” You don’t want your name on this wall.)
  • If the breach involves less than 500 people, you must report it to HHS within 60 days of the end of the year in which the breach occurred.

Business Associates notification:

Business Associates must notify the covered entity if ePHI is suspected of having been accessed, acquired, used, or disclosed in a data breach.

For more details and guidance on the HIPAA Breach Notification Rule check out what the HHS has to say.

How significant are the fines for noncompliance resulting in a breach?

If the Office for Civil Rights (OCR) concludes that a HIPAA breach occurred because of noncompliance, the severity of the penalty will depend upon the extent to which it finds a company negligent.

HIPAA has four categories for violations. Fines can be imposed each year, every year for each violation category. The four different tiers of penalties depend upon the severity of the violation. Cases involving willful neglect (Tier 3 and Tier 4 can lead to criminal charges.) Breach victims can also file civil lawsuits against covered entities.

Tier 1: $100-$50K per violation. $25K max per year. Unaware of the HIPAA violation and even by exercising reasonable due diligence would not have known HIPAA rules had been violated.

Tier 2: $1K – $50K per violation. $100K max per year. Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.

Tier 3: $10K-$50K per violation. $250K max per year. Willful neglect of HIPAA rules with the violation corrected within 30 days of discovery.

Tier 4: $50k per violation. $1.5M max per year. Willful neglect of HIPAA rules and no effort made to correct the violation within 30 days of discovery.

Keep your name off of the wall of shame

As everything we do becomes more digital, you’re better off expecting a data breach than thinking it won’t happen to you. Breaches will be a part of life and business and the best thing you can do to protect your brand and your clients is get in front of them. If your HIPAA compliance needs a bit of dusting off, check out our HIPAA Compliance Checklist for 2020 and make sure you’re ahead of the game.