HIPAA Data Breaches

more+
less-

HIPAA has been on the books since 1996. With the advent of electronic health records, HHS adopted security regulations to rehipaa7quire covered entities to protect the integrity, confidentiality, and availability of electronic personal health information (PHI).

The Security Rule was adopted in 2003 and includes data breach notification requirements. The Office of Civil Rights at HHS is responsible for enforcing the Security Rule and other HIPAA requirements.

The definition of a covered entity includes health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form.

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Covered entities must (1) ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; (2) identify and protect against reasonably anticipated threats to the security or integrity of the information; (3) protect against reasonably anticipated, impermissible uses or disclosures; and (4) ensure compliance by their workforce.4

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments based on the following factors: (1) size, complexity, and capabilities; (2) technical, hardware, and software infrastructure; (3) costs of security measures, and (4) the likelihood and possible impact of potential risks to e-PHI.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.hipaa3

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

Since 2008, HHS has reported that there have been over 800 breaches involving over 500 or more individuals, and 92,000 breaches involving fewer than 500 individuals. The total civil monetary penalties and resolution agreements total $18.6 million.

hipaa2Interestingly, almost half of all the significant breaches have been the result of theft; almost 20 percent were the result of unauthorized access or disclosure, and 11 percent were caused by the loss of laptops, paper records, desktop computers or portable electronic devices.

In 2013, the five largest data breaches involved:

People Affected

Cause

4,029,000

4 laptops stolen

729,000

2 laptops stolen

277,000

Microfiche improperly disposed

187,500

Patient information mailed to other patients

32,100

Business Associate stored data on non-secured website

The average cost of a general US data breach is approximately $200 per record.

 

Topics:  Covered Entities, Data Breach, Healthcare, HHS, HIPAA, PHI, Popular

Published In: General Business Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Michael Volkov, The Volkov Law Group | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »