What is a breach under HIPAA?

Posted: Aug 25, 2014
Share This:

Those working in the healthcare industry will be familiar with the Health Insurance Portability and Accountability Act (HIPAA) and the costly ramifications of a data breach, but how many fully understand what a ‘breach’ is?

HIPAA was approved by the United States Congress in 1996 and has since evolved with Title II defining the national standards for policies, procedures and guidelines for electronic healthcare (eHealth). Aimed at safeguarding the privacy and security of Protected Health Information (PHI), HIPAA also outlines and sets civil and criminal penalties for violations within the healthcare industry, known as breaches.

On announcing the final omnibus rule in January of  last year the U.S. Department of Health and Human Services (HHS) declared that the changes would strengthen the Government’s ability to enforce the law. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age” said Kathleen Sebelius, HHS Secretary.

Endorsing the revisions to HIPAA Leon Rodriguez, Director at the HHS Office for Civil Rights, added “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”.

A breach by nature is the acquisition, access, use or disclosure of PHI in a manner that compromises the security or privacy of an individual. Penalties vary by violation depending on the type of breach that occurs but in its simplest form can be broken down into four categories:

1. Unknowing

A violation in which the Covered Entity (CE) or Business Associate (BA) did not know, and by exercising reasonable diligence would not have known that a violation had taken place.

Penalty: $100 – $50,000

2. Reasonable cause

Exposure of PHI in which the CE or BA knew, or would have known by exercising reasonable diligence, but in which the CE or BA did not act with willful neglect.

Penalty: $1,000 – $50,000

3. Corrected willful Neglect

A violation in which it is established that the breach was due to willful neglect but was corrected within 30 days of discovery by the CE or BA. The infringement may be the result of conscious, intentional failure or reckless indifference.

Penalty: $10,000 – $50,000

4. Uncorrected willful Neglect

As above, however the CE or BA at fault did not correct the violation with 30 days of discovery.

Penalty: Minimum $50,000

In February this year, Healthcare IT News reported a 138% jump in the number of health records breached from 2012 – with many still going unreported! Just this week Community Health Systems announced that an external hacking group, known as “APT 18”, attacked its computer network accessing 4.5 million patients records. The breach puts Community Health Systems firmly on the HHS’ Wall of Shame as the second largest HIPAA breach ever reported. In addition, according to the Office for Civil Rights the breach is also the largest hacking-related HIPAA data breach ever reported.

Whether you’re a solo practitioner or a healthcare professional within a large organization it is crucial that you remain aware of what constitutes PHI and the types of breach you could fall foul to should a violation occur.

For more on how to secure your workforce, check out these 5 top tips.

Scrypt is exhibiting at the upcoming  HIMSS Privacy & Security Forum in Boston, September 8-9. Come see us at booth #28 to learn more about  our secure and compliant document platform.