HIPAA Security Incident vs Breach
What's the Difference?
Today I am breaking down the difference between a HIPAA security incident vs breach. First, allow me to set the stage with definitions to provide some clarification.
What are HIPAA Security Incidents?
The HIPAA Security Rule defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of a security incident at 45 CFR 164.304).
When a security incident happens, and they do happen, effective response planning can be a major factor in how significantly an organization suffers operational, reputational harm, and/or legal liability. Being able to respond to incidents in a systematic way ensures appropriate response steps are taken each time, helping to minimize the impact of breaches.
What would you do?
What if this scenario happened in your organization, would your workforce know what to do?
- ⇒ My office just experienced a cyber-attack!
The previous example emphasizes the importance of creating a security incident response plan for your organization.
Incident Response Plan
Your Incident Response Plan is intended to assist your Covered Entities (CEs) and their third-party vendors, referred to by the Department of Health and Human Services (HHS) as Business Associates (BA), in detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited, protecting the confidentiality, integrity, and availability of data, and restoring IT services back to normal.
When establishing your incident response capabilities, CEs and BAs should consider:
- Developing written incident response policies, plans and procedures
- Building relationships and setting up plans for communicating with internal and external parties regarding incidents
- Staffing and training
What is a HIPAA Security Breach?
The HIPAA Security Rule identifies breaches as an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information (PHI). (See the definition of a breach at 45 CFR 164.402).
An impermissible use and/or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates there is a low probability the PHI has been compromised based on a risk assessment.
OCR provides an All Case Examples list of HIPAA compliance enforcements organized by CE type or Issue. The list contains several case studies of impermissible uses and/or disclosures. I recommend reviewing the list to see how OCR addresses each one.
It is a HIPAA Breach, Now What ...
The HIPAA Breach Notification Rule requires that after experiencing a breach, CEs and their BAs notify affected individuals, the Secretary, and when required, the media following a breach of unsecured protected health information (PHI) 45 § 164.400-414.
Notification By a Third-Party Vendor
BAs must notify CEs if a breach occurs at or by the BA. The BA must provide notice to the CE without unreasonable delay, and no later than 60 days from the discovery of the breach. Where possible, the BA should provide the CE with the identification of each individual affected as well as any other available information to the CE.
The Office of Civil Rights "Wall of Shame"
More and more people are hearing of OCR’s “Wall of Shame.” All it takes to join this infamous list is a breach of unsecured PHI that affects 500 or more individuals. After you’ve reached that magic number (500 or more patient records breached), you must notify the media.
If a breach affects fewer than 500 individuals, the CE must notify the Secretary and affected individuals. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.
Did You Know?
Breaches are not the ONLY way to make it on the wall.
Oh no, all it takes is for someone to file a complaint about your organization involving any of these reasons:
- Civil Rights
- Conscience and Religious Freedom
- Health Information Privacy
Once OCR receives a complaint they begin their investigation. When they come calling, they don’t ONLY look at areas related to the complaint. Instead they look at your ENTIRE compliance program.
Now I ask you if this happened – Would YOU Be Ready For OCR?
See Why it Matters
In 2018, there were 76 healthcare data breaches involving Business Associates added to the “Wall of Shame”.
5,730,242 patients’ medical records were breached
- Hacking/IT Incidents = 35
- Unauthorized Access/Disclosure = 34
- Loss = 5
- Theft = 2
For more details about the HIPAA Breach Notification Rule, visit the HHS website.
It doesn’t matter what size you are, hackers know healthcare is rich with unsecured data worth approximately $408.00 per record on the Dark Web.
Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility.
Providers and third-party vendors need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.