The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was established to transform the security landscape of the healthcare industry. Businesses that are found guilty of a breach or violation of HIPAA rules will have to face repercussions. Part of the HIPAA law includes the HIPAA Breach Notification Rule, which mandates that organizations report a security breach within 60 days of discovering an incident to the authorities, to affected individuals, and in some cases to the media. It is therefore essential for all those dealing with protected health information (PHI) directly or indirectly to know what the penalties are for such breaches. In today’s article, we have discussed the HIPAA Breach and HIPAA Breach notification rules for a better understanding of the HIPAA Act.
What is considered a breach of HIPAA?
According to the U.S. Department of Health and Human Services (HHS), HIPAA breach can be defined as unauthorized use, access or disclosure of PHI under the Privacy Rule that compromises the security and privacy of protected health information. Unauthorized access or use of protected health information is considered a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI is compromised. So, in case of a breach, the organization has to conduct a HIPAA Breach Risk Assessment to evaluate the level or extent of the breach. Further, there should be a HIPAA Breach Risk Assessment conducted as per the HHS based on the following factors:
- The nature and extent of the PHI Breach involved
- The unauthorized person who accessed the PHI
- Whether the PHI was acquired or viewed
- The extent to which the risk to the PHI has or can be mitigated
However, it is important to note that the Risk Assessment is not a mandatory requirement. So, typically when a breach occurs, the Covered Entities and Business Associates can do one of the following:
- Conduct a Risk Assessment and then decide to notify about the breach
- Directly decide to notify without conducting a HIPAA Breach Risk Assessment
What are the exceptions to a breach?
HIPAA also defines some exceptions to a breach. So here is a list of a few security incidents that are categorized as an exception and not qualified as a breach under HIPAA:
- Unintentional access or use of PHI by an employee, made in good faith and within the scope of their authority.
- Accidental disclosure of PHI by an authorized person, to another person who is authorized to access the PHI from the same organization or another organization.
- The organization is confident and believes that the person who obtained or accessed the PHI will not retain or compromise the data.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires an organization that deals with health information to disclose cybersecurity breaches. The Notification Rule applies to both the Covered Entities including healthcare organizations, medical practitioners, insurance companies and Business Associates, all of which are organizations or individuals that provide services to the healthcare industry and that have indirect access to PHI. HIPAA is a mandatory law for organizations operating in the United States that store, transmit, or use PHI data. Non-compliance to HIPAA can result in hefty fines ranging from anywhere between $100 to $50,000 per violation or per PHI record affected, with a maximum penalty of up to $1.5 million per year.
What does the HIPAA Notification include?
The HIPAA Breach Notification Requirement calls for a notification letter to be sent out. It includes the following information:
- Description of the breach
- A detailed description of the type of information that was breached
- Precautionary measures the victims of the breach should take thereafter
- A detailed description of corrective measures and investigative action taken on an account of a breach
- Contact information for the covered entity
However, in case you have incomplete contact details of 10 or more victims, you are required to post the notification on your website for 90 days and set up a toll-free number for victims to contact you for further information. Again, if the breach affects more than 500 victims, you must notify the media in the state in which the victims reside. Lastly, you must also notify OCR based on the number of victims identified.
- If there are less than 500 victims identified, the OCR must be notified on an annual basis.
- If there are more than 500 victims, the OCR must be notified within 60 days of discovery.
What should be done in case of a Breach?
In case of a breach, the HIPAA Breach Notification Rule requires the organization to notify victims or affected individuals, the HHS/OCR and the media, if required.
- Notify individuals affected about their PHI data being compromised.
- Notification must be sent via an email if the individual agreed to electronic communication within 60 days of discovering the breach.
- If you have no contact details of less than 10 affected individuals, then you should try an alternative communication method like phone or written notice.
- If you have no contact details of over 10 persons, you must post a notice on your company website or post on print media or broadcast media in the individuals’ place of residence.
Notify the HHS/OCR
You must notify the HHS/OCR of the breach. So, if the breach has affected less than 500 individuals, you should maintain an annual breach log and submit the same within 60 days of the year ending. On the other hand, if the affected individuals number more than 500, you must notify the HHS/OCR at the same time as when you notify the affected individuals.
Notify the media
You only need to notify the media if the breach involves more than 500 individuals in the same state or jurisdiction. In case you need to notify the media, you need to do so by sending a press release with the same information you sent to the affected individuals in that same area. The media must be notified within 60 days of discovering the breach.
Final Thought on HIPAA Compliance and Breach
A HIPAA breach can lead to a huge amount of penalties, damage trust and tarnish the reputation of an organization. So, we suggest organizations take all the precautionary measures as outlined in the HIPAA guidelines to secure PHI data and prevent incidents of data breach. Ensure your employees and vendors act in accordance with the HIPAA Rules and make efforts to stay compliant.
About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.