Healthcare data breaches are becoming common. But if it happens to you, there are specific steps you must follow to comply with the HIPAA Breach Notification Rule.
Organizations of all kinds worldwide are facing increased cyber risks but healthcare has its own unique problems. In healthcare the increase in cybersecurity threats like phishing and ransomware have been especially problematic. Medical identity theft is big business.
The COVID-19 pandemic caused an even greater bump in data breaches in 2020, fueled in part by ransomware thieves taking advantage of an overstressed healthcare system. In addition to cybersecurity threats, other risks include insider theft, error and loss – common everyday occurrences that can be managed with good HIPAA Risk Analysis.
Typical Healthcare Data Breaches
There is nothing unusual, exotic or rare about a typical breach and it can happen to anyone. The Office for Civil Rights (OCR) publishes a list of all breaches affecting 500 or more individuals on the OCR breach reporting portal, also known as the HIPAA Wall of Shame. OCR is part of the U.S. Department of Health and Human Services (HHS).
The breach reports submitted in October show:
- Size – from 501 to 350,000 individuals
- Type – include theft, loss, hacking/IT incidents and unauthorized access/disclosures
- Location – email, network server, paper/films, desktop computer and electronic medical records
- Eleven of the 29 breach reports came from the same professional dental alliance located in eleven states – the total number of dental patients affected is about 173,000
Although not obvious in this list, one of the riskiest breach threats is held by HIPAA business associates. This is because some larger business associates in billing, coding, collections or customer management are handling the protected health information (PHI) of multiple covered entities. For example, in September 2020 a hacking incident reported at Blackbaud, Inc. caused the PHI of 3.3 million patients to be exposed. In 2018 another business associate, the American Medical Collections Agency (AMCA) was hacked, exposing PHI of more than 21 million individuals.
HIPAA Breach Notification Rule
When a data breach happens in healthcare the HIPAA Breach Notification Rule kicks in and requires specific actions to manage and report the breach. The rule boils down to four steps: investigate, document, notify and report. Both covered entities and business associates must have breach notification policies and procedures, but their roles are slightly different.
Not every disclosure or loss of patient information is an actual reportable breach. When patient information is disclosed, lost or compromised, it is considered a potential breach. Then, once the loss or disclosure is investigated, it might become a presumed breach, until the covered entity or business associate demonstrates there is a “low probability of compromise” to the PHI based on a breach risk assessment of at least four factors. HIPAA does not mandate the four factor analysis, but it can be helpful as a defensive measure, to prove what happened was not reportable if the analysis shows there was a low probability of compromise.
It’s important to know that HHS considers a ransomware attack to be a presumed breach. Although the breach risk assessment is not mandatory, every ransomware attack should be evaluated with the four factors to help guide next steps.
HIPAA requires that covered entities must notify all individuals whose data was compromised, no matter the size of the breach, and in the case of large breaches, must notify the media.
HIPAA also requires covered entities to report all actual breaches to HHS:
- Large breaches (affecting 500 or more individuals) need to be reported without unreasonable delay, and in no case later than 60 days after discovering the breach
- Breaches affecting fewer than 500 individuals need to be reported within 60 days after the calendar year in which the breach occurred, but may be reported sooner.
States sometimes have stricter reporting and notification requirements. California is one example, and in that case be sure to follow both state and federal HIPAA law.
Business associates must report potential breaches to their covered entity customer within 60 days of discovering the breach, or sooner if their business associate agreement requires.
The HIPAA E-Tool® Shows How
HIPAA compliance is easy step-by-step once you know the steps. The HIPAA E-Tool® contains a decision tree to guide how to analyze what happened and whether to report it.
- Everyone in the workforce should trained to recognize and encouraged to report a potential security incident or breach immediately to the HIPAA Privacy and Security officials, or to the CEO/owner of smaller organizations. (Don’t penalize anyone for “crying wolf” – you want to encourage reports.)
- Inform your lawyer.
- Isolate potentially infected computers and servers.
- Begin an investigation immediately and document everything. What happened, when was it discovered, where did it occur, what data may have been compromised, how did it occur? How many individuals may have been affected?
- If ransomware is the cause, notify the local FBI field office and cooperate with their investigation.
There is a Breach Risk Assessment guide in The HIPAA E-Tool® using the four factors to evaluate whether the loss or disclosure has a low probability of compromise. There is also guidance about how and where to report to government regulators, and templates to help draft letters to affected individuals and notice to the media. Included are tables of state breach notification and health privacy laws.
If you want to strengthen your breach notification policies and procedures don’t wait until the breach happens. If you prepare in advance you can reduce the risk, and manage the breach if it happens to you.