HIPAA Data Breaches


HIPAA has been on the books since 1996. With the advent of electronic health records, HHS adopted security regulations to rehipaa7quire covered entities to protect the integrity, confidentiality, and availability of electronic personal health information (PHI).

The Security Rule was adopted in 2003 and includes data breach notification requirements. The Office of Civil Rights at HHS is responsible for enforcing the Security Rule and other HIPAA requirements.

The definition of a covered entity includes health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form.

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Covered entities must (1) ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; (2) identify and protect against reasonably anticipated threats to the security or integrity of the information; (3) protect against reasonably anticipated, impermissible uses or disclosures; and (4) ensure compliance by their workforce.4

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments based on the following factors: (1) size, complexity, and capabilities; (2) technical, hardware, and software infrastructure; (3) costs of security measures, and (4) the likelihood and possible impact of potential risks to e-PHI.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.hipaa3

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

Since 2008, HHS has reported that there have been over 800 breaches involving over 500 or more individuals, and 92,000 breaches involving fewer than 500 individuals. The total civil monetary penalties and resolution agreements total $18.6 million.

hipaa2Interestingly, almost half of all the significant breaches have been the result of theft; almost 20 percent were the result of unauthorized access or disclosure, and 11 percent were caused by the loss of laptops, paper records, desktop computers or portable electronic devices.

In 2013, the five largest data breaches involved:

People Affected



4 laptops stolen


2 laptops stolen


Microfiche improperly disposed


Patient information mailed to other patients


Business Associate stored data on non-secured website

The average cost of a general US data breach is approximately $200 per record.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Michael Volkov, The Volkov Law Group | Attorney Advertising

Written by:


The Volkov Law Group on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.