The healthcare industry experiences more data breaches (confirmed data disclosure) than any other industry in the United States, accounting for more than 24% of all breaches.1 In 2017, healthcare data breaches compromised more than 5 million healthcare records2 and cost providers an average of $380 per record — more than any other industry and 69% greater than the overall average.
More than half of all healthcare cybersecurity incidents (regardless of whether data was compromised) are the unintentional result of employee error, or occur in various preventable ways including:3
- Loss or theft of computers, storage devices or smartphones containing patient information from cars, offices, briefcases, employees’ homes, hotel rooms, etc.
- Incorrectly addressed email containing patient information
- Electronic patient records accessed inappropriately by unauthorized employees
- Hacked servers
According to the HIPAA statute:
Patient Health Information (PHI) is individually identifiable health information created or received by a healthcare provider regarding the physical or mental health of any individual that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
Electronic protected health information (ePHI) is PHI that is created, stored, transmitted, or received electronically. The focus of the linked case studies is ePHI, although a HIPAA data breach can occur with paper records. Unless When patient data or patient healthcare information is referenced in the case studies and best practices linked here, it refers to ePHI.
Covered entity is a health plan, healthcare clearinghouse or healthcare provider who transmits any health information in electronic form for qualifying transactions. The U.S. Centers for Medicare & Medicaid Services (CMS) website offers guidance on how to determine whether a healthcare provider is a covered entity.
ReferenceCornell Law School, Legal Information Institute. U.S. Code of Federal Regulations. “45 CFR 160.103 - Definitions.” (accessed 4/24/2018)
Even the most innocent mistake, however, if it leads to a data breach, can result in a costly and disruptive incident investigation, patient notification expenses, and significant fines and corrective action requirements.
An analysis of NORCAL Group data breach closed claims shows that inadvertent, unauthorized release of medical records or patient information is the most frequent reason for a data breach claim. Theft or loss of portable electronic devices like laptops, flash drives and smartphones is the second most frequent reason. NORCAL has also seen a marked increase in the past two years in incidents involving hacking, malware, and viruses, which (together) is now tied with theft/loss of portable devices as the second most common reason for a data breach claim.
The case studies linked here are based on NORCAL Mutual HIPAA data breach closed claims. The case studies introduce strategies to help reduce the risk of a HIPAA data breach and to appropriately respond to a breach when it happens. While the discussions here and in the linked case studies and best practices are not meant to be a comprehensive overview of compliance with the HIPAA Privacy Rule and Security Rule, compliance with the rules should prevent many security breaches.
What is a HIPAA Data Breach?
In general, a HIPAA data breach is an impermissible use or disclosure that compromises the security or privacy of PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity can show there is a low probability the PHI has been compromised based on a risk assessment of at least the following four factors:4
- The nature and extent of the PHI involved in the use or disclosure, including the types of identifiers and the likelihood that PHI could be re-identified (e.g., aggregated PHI vs. complete, intact patient records)
- The unauthorized person who used the PHI or to whom the disclosure was made (e.g., whether the inadvertent disclosure was made to another covered entity regulated under HIPAA vs. a hacker)
- The likelihood that any PHI was actually acquired or viewed (e.g., an audit trail shows there has been no access to the databases at risk vs. a stolen laptop with PHI stored on the hard drive where access cannot be determined)
- The extent to which the risk to the PHI has been mitigated (e.g., encryption keys are promptly changed and network access monitoring shows no access vs. lost device with no opportunity to determine whether access has occurred)
When performing this assessment, a covered entity must address each element separately and then analyze the combined four elements to determine the overall probability that PHI has been compromised. If this assessment indicates there is low likelihood of compromised PHI, then the use or disclosure may not be classified as a HIPAA breach, and notification may not be required. If, on the other hand, the covered entity is unable to overcome the presumption of a breach and show that there is a low likelihood that the PHI was compromised, then breach notification may be required.4
HIPAA Breach Analysis Flowchart
This flowchart outlines how a privacy or security incident is analyzed to determine whether a HIPAA breach has occurred, including the four factors outlined above. It forms the basis of the analyses in the case studies linked on this page and is also included on those pages.
In addition to federal HIPAA regulations, covered entities may also have to comply with state data breach laws. State laws vary on what triggers a breach notification obligation and the nature of breach notification obligations. The linked case studies focus on federal data breach notification laws. The Health Information & the Law website has an interactive map that provides links to state health data security and breach notification laws.
HIPAA Data Breach Safe Harbor and Exceptions
Whether a privacy or security incident is a HIPAA breach depends on the nature of the PHI and the circumstances of the use or disclosure. Included in the HIPAA regulations is a critical safe harbor: If an impermissible use or disclosure involves PHI that has been rendered unusable, unreadable, or indecipherable (i.e., encrypted or remotely cleared, purged or destroyed), it does not rise to the level of a breach and, therefore, does not require notification.4
If the incident involves unsecured PHI, but the disclosure falls into one of three narrow breach exceptions, notification is similarly not required:
“The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”
(excerpt from the HHS HIPAA “HIPAA Breach Notification Rule,” line breaks added for clarity)5
HIPAA Breach Notification
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.5 Covered entities must notify affected individuals, HHS and at times the media about the HIPAA breach. To whom and when notification must occur primarily depends on the number of individuals affected by the breach. If there is a breach of unsecured PHI that affects 500 or more individuals, the covered entity must notify the individuals and HHS without reasonable delay, and no later than 60 days after the covered entity discovers the breach. Once notified, HHS posts the breach on the HHS Office for Civil Rights (OCR) Breach Portal Website. The OCR is responsible for investigating breach incidents to determine if they were the result of HIPAA violations. OCR investigations may be initiated based on complaints, breach reports, information from other government agencies or reports in the media.
If the breach affects 500 or more individuals in the same jurisdiction or state, the covered entity must also notify the media. If a breach affects fewer than 500 individuals, the covered entity must notify affected individuals without reasonable delay, and no later than 60 days after discovery of the breach, and HHS no later than 60 days after the end of the calendar year in which the breach occurred.4,5
Safeguard PHI with Encryption to Prevent a HIPAA Data Breach
Failure to adequately safeguard PHI can result in costly and time-consuming forensic investigations to determine whether and to what extent data may have been accessed. PHI encryption is a way to avoid these difficulties. If PHI is appropriately encrypted, there is a low probability that anyone other than the intended party who has the private key will be able to decrypt and ultimately decipher the contents. Using strong encryption may be the most efficient and effective means to avoid a HIPAA data breach, as the rule makes clear that impermissible use or disclosure of PHI encrypted pursuant to HIPAA guidelines is not considered a breach.6,7
HIPAA defines encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of confidential process or key.”8 Data at rest (i.e., data stored in work stations, laptops, tablets, phones, flash drives, or external hard drives) and data in motion (i.e., data in a non-persistent state that is in transit across the Internet, wireless networks and connections, etc.) are addressed separately in HIPAA encryption guidance.7 According to the Breach Notification Rule, the proper standards for encrypting data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.7 The appropriate standards for encrypting data in motion are consistent with any of the following NIST publications:9
- 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations.
- 800-77, Guide to IPsec VPNs: Recommendations of the National Institute of Standards and Technology.
- 800-113, Guide to SSL VPNs.
- 140-2, Security Requirements for Cryptographic Modules [includes Change Notices as of 12/3/2002].
General Risk Management Strategies for Avoiding a HIPAA Data Breach
Consider the following general strategies for avoiding and mitigating a data breach:4,10
Educate Staff and Clinicians
- Know what state and federal health data security laws require.
- Educate clinicians, staff and administrators on responding to a data security incident.
- Educate clinicians and staff about proper protocol when handling PHI on a mobile device.
- The HHS HealthIT website has two different computer games created for training healthcare clinicians and staff on HIPAA device security.
Assess Data Security Risk
Perform thorough HIPAA risk assessments on a regular basis:
- Analyze all sources, systems, movement and storage of PHI.
- Document the results of the risk assessment.
- Implement additional safeguards to address any security risks identified.
Mitigate Data Security Risk
Imagine all of the ways data can be inappropriately accessed and put up road blocks:
- Encrypt all PHI.
- Install software to remotely wipe PHI and disable passwords in case of device loss or theft.
- Require authentication to access mobile devices, including complex passwords or biometric measures.
- Encrypt email and text messages.
- Install software to stop viruses and malware.
Monitor for Security Breaches
Implement a data activity monitoring system to alert IT to potential security threats. The HHS OCR HIPAA Audit Protocol provides guidance for determining monitoring protocols.
Respond to Security Incidents
Have a documented data security incident response plan in place:
- Identify who is on the incident response team and what actions they will take to address the incident.
- Report security incidents to the covered entity’s information technology/security department.
- Notify affected patients and the appropriate regulatory agencies in the manner advised by your attorney.
Every data security incident is unique (despite seemingly similar fact patterns) and federal and state data security breach regulations are constantly evolving and changing. It is important to stay current with breach notification requirements. Because breach notification is time sensitive, immediate action is frequently required. Although HIPAA generally allows 60 days for notifying patients and regulatory agencies about a breach, state law may require shorter notification periods, and determining the breadth of a security incident may involve hiring outside IT professionals, which can be time consuming.
More Information About Preventing HIPAA Data Breaches
- Best Practices: Mobile Device Policies for Preventing HIPAA Data Breaches
- Best Practices: Best Practices for Preventing HIPAA Data Breaches by Criminal Hackers
- Case Study Comparison: HIPAA Data Breaches and PHI on Stolen Laptops
- Closed Claim Case Study: Misdelivered Email Results in a HIPAA Data Breach
- Closed Claim Case Study: Employee Voyeurism Leads to a HIPAA Data Breach
- Closed Claim Case Study: Unsecured PHI on a Lost Flash Drive Results in a HIPAA Data Breach
Additional Resources for Policyholders
Guidance and additional information on the HIPAA Security Rule and on medical records security, access and release are available to all NORCAL policyholders by contacting a NORCAL Risk Management Specialist at 855.882.3412.
1. Verizon Enterprise. “2018 Data Breach Investigations Report.” (accessed 5/9/2018)
2. Identity Theft Resource Center. “2017 Annual Data Breach Year-End Review.” (accessed 5/9/2018)
3. Intel. “Grand Theft Data — Data Exfiltration Study: Actors, Tactics, and Detection.” 2015. (accessed 5/9/2018)
4. Office of the National Coordinator for Health Information Technology (ONC). Guide to Privacy and Security of Electronic Health Information. “Chapter 7: Breach Notification, HIPAA Enforcement, and Other Laws and Requirements.” (accessed 5/9/2018)
5. HHS. “Breach Notification Rule.” (accessed 5/9/2018)
6. Federal Register Volume 78, Number 17 (Friday, January 25, 2013), Page 5644. (accessed 5/9/2018)
7. Office of the National Coordinator for Health Information Technology (ONC). Guide to Privacy and Security of Electronic Health Information. “Chapter 4: Understanding Electronic Health Records, the HIPAA Security Rule, and Cybersecurity.” (accessed 5/9/2018)
8. Cornell Law School, Legal Information Institute. U.S. Code of Federal Regulations. “45 CFR 164.304 - Definitions.” (accessed 5/9/2018)
9. California Medical Association (CMA) Legal Counsel. “Security Breach of Health Information [Document #4006].” January 2015. (accessed 5/9/2018)
10. Psychiatric Times. “How to Protect Patient Information — And What to Do if It Gets Lost or Stolen.” 3 May 2011. (accessed 5/9/2018)
Additional Linked Sources
Ponemon. “2017 Cost of Data Breach Study — United States.” (accessed 5/9/2018)
U.S. Department of Health and Human Services Office for Civil Rights (OCR). “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” (accessed 5/9/2018)
Health Info & the Law Project. “States.” (accessed 5/9/2018)
U.S. Centers for Medicare & Medicaid Services (CMS). “Are You a Covered Entity?” (accessed 5/9/2018)