What is Considered a HIPAA Breach?

November 27, 2018

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify patients and other parties following a breach of unsecured protected health information (PHI). Similar provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third-party service providers.

A breach is defined in HIPAA section 164.402, as highlighted in the HIPAA Survival Guide, as:

“The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.”

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

Research from Beazley found that the primary reason breaches occurred in 2017 was unintended disclosure. Unintended disclosure includes an email that has confidential health data in it and is sent to the incorrect patient, or an incident in which a server is unintentionally configured as publicly accessible.

What is NOT considered a HIPAA Breach?

According to exclusions specified at HHS.gov, you have NOT suffered a HIPAA breach if:

  • The exposure of PHI was accidental and caused by an inappropriate action by a workforce member or individual carrying out tasks on behalf of the HIPAA-compliant company, as long as the compromise occurred within the proper authority, without ill intentions, and without expectation of repetition.
  • It was an accidental disclosure by an individual who does have general authorization (and training) to access PHI at a HIPAA-compliant organization to an additional individual who is also generally authorized to access HIPAA information.
  • The covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.

HIPAA compliance changed when the HIPAA/HITECH Omnibus Final Rule went into effect in September 2013. Previously, breaches were the responsibility of HIPAA-covered entities entirely (healthcare providers, plans, and data clearinghouses). When the American Recovery and Reinvestment Act (ARRA) was passed in 2009, its Title XIII was the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH stated that business associates (service providers that handle PHI) now assume responsibility for information protection along with healthcare organizations.

Preventing HIPAA breaches in a complex healthcare landscape requires more than routine required risk assessments. Covered entities must ensure the implementation of strong policies for the establishment of protections, training, business associate agreements (BAAs) and other elements of a HIPAA-compliant, security centered ecosystem.

Additional resource: Section 164.502 - Covers required, permitted, prohibited and restricted forms of use and disclosure of protected health information (PHI)