Carmen is managing a busy and growing medical practice. Every day the waiting room fills up early and the phones are non-stop. She has to make sure people are seen on time and the right file goes with them to the examination room. She’s also supervising four staff who greet patients, do scheduling, and data entry in the electronic health records (EHR) system. Working past five and taking work home to catch up is just part of the job. Then one weekend her laptop is stolen from the backseat of her car.
Did a HIPAA Breach Happen? Or Not?
Not every loss of data is a HIPAA breach. HIPAA calls this a “potential breach” and says you need to investigate what happened and answer a few questions for yourself to decide whether a real breach occurred. The investigation must be documented – keep a record of your questions, your answers, and what you did.
Whether a breach occurred depends on what was on the laptop and what security measures it had. If the laptop contained protected health information and was not encrypted, it may have been a breach.
Although cybercrime grabs headlines, many healthcare data breaches are not intentional. They happen because of negligence – management wasn’t paying attention. In Carmen’s case, two things went wrong. She hadn’t received HIPAA training about securing the laptop – although she is otherwise a good employee doing her best to keep up with work – and the laptop was not encrypted.
Many healthcare data breaches are preventable, with good policies, annual Risk Analysis – Risk Management and regular workforce training. Remember, HIPAA does not require perfection, but it does require knowing your risks, and taking steps to reduce the risks.
HIPAA Breaches are Common
The largest HIPAA breaches are usually caused by electronic theft or hacking. Cybercriminals find their way in by phishing through email or attacking unprotected servers carrying software that hasn’t been updated or patched, or is unencrypted. In July 2019 the ten largest HIPAA breaches reported to the Office for Civil Rights (OCR) were caused by hacking/IT incidents – once a hacker obtains access to an office’s medical records they usually obtain thousands, or in larger organizations, millions of records at one time.
Small breaches matter too. The loss of one person’s file, sending an email to the wrong patient, and an internal snooping incident are all potential breaches and need to be taken seriously. Investigate and document.
Today 21% of HIPAA breaches still involve paper records. Although electronic records have replaced a lot of paper, most organizations still have paper files. Every potential breach, small or large, must be investigated to evaluate whether a HIPAA breach occurred, and how many individuals were affected.
HIPAA Breaches are Costly
The largest case recently was caused by a billing company, the American Medical Collections Agency (AMCA) which did billing and collections for hundreds of health care providers nationwide – LabCorp and Quest are the best known. As of today, over 23 million patients had their records stolen, more than two dozen lawsuits have been filed and AMCA has declared bankruptcy. Although AMCA, as a business associate is separately responsible under HIPAA, LabCorp, Quest and the other health care providers may not be off the hook. The extent of their responsibility depends on what their agreements with AMCA said, and whether they required AMCA to comply with HIPAA.
Whether small or large, if OCR investigates a breach and finds an organization was negligent, the likely outcome is a settlement, payment of fines, and a corrective action plan. If an organization willfully ignored HIPAA, the fines are much worse. Today OCR is investigating 520 breaches (of 500 or more) from Hawaii to Maine.
HIPAA breaches are publicly embarrassing. All affected patients must be notified, and if 500 or more patients were affected, HIPAA requires you to notify prominent media outlets.
How to Investigate a HIPAA Breach
Rule number one – don’t ignore a potential breach. Gather all the information as quickly as possible, including the date of discovery. Know what to look for!
Business associates who have a breach should follow their business associate agreement. You need to notify the covered entity, and cooperate with them in the investigation.
Look at what happened, answer five key questions, and document everything. Even if it turns out not to have been a HIPAA breach, you still must document your evaluation.
Ask Five Key Questions
- Did the information include protected health information (PHI)?
- Was the PHI unsecured?
- Was it a good faith unintentional access or use by an authorized staff person, with no further use or disclosure?
- Was it an inadvertent internal disclosure to someone with authorized access – with no further use or disclosure?
- Do you have a good faith reason to believe that if an unauthorized person received the disclosure they could not retain it?
There are Three Possible Conclusions and Next Steps for Each
- The potential breach was not a breach of unsecured PHI
- Next steps – close investigation – maintain all documentation
- The facts show there may be a low probability of compromise to PHI
- Next steps – notify persons affected OR perform a Breach Risk Assessment to demonstrate & document a low probability of compromise – if unable – notify persons affected
- A breach of unsecured PHI occurred that requires Breach Notification
- Next steps – notify persons affected & take other required steps (below)
In Carmen’s case, the laptop contained names and other PHI for 480 patients. The data was unsecured and unencrypted and the laptop was not recovered. She needed to notify all the patients as soon as possible.
HIPAA Breach Notification Timelines
If it turns out to be a breach, HIPAA requires notification to the persons affected “without unreasonable delay,” and always within 60 days of discovery. A caution though – you also need to follow state law about breach notification – if the state is more restrictive (a shorter time), do that instead. For example California requires notification to the California Department of Health and to patients within 15 business days, unless a law enforcement investigation is pending.
Under HIPAA, if the breach affected 500 or more, you must also notify prominent media outlets and the U.S. Department of Health and Human Services (HHS) not later than 60 days after discovery.
If the breach affected 499 or less, you don’t need to notify prominent media outlets, but still do need to notify HHS within 60 days of the end of the calendar year in which it happened. Notification to HHS may be made online through the HHS HIPAA Breach reporting portal.
Be sure to look at your state’s requirements and follow those when they are more restrictive than HIPAA.
Help With HIPAA Breach Notification
The HIPAA E-Tool® has all the answers needed to manage a potential breach investigation. You can handle it confidently and calmly with the right forms, the right questions, a Breach Risk Assessment Tool, timelines, and draft notices to the media and affected persons. All the specific legal citations are included, if you have a lawyer helping you, which saves legal costs. And we are a phone call away to help.