Understanding and managing a HIPAA breach

With the frequency of healthcare data breaches surging every year, identifying breaches and reacting appropriately is essential. In 2016, recorded cases amounted to 329. In contrast, 2023 that figure grew significantly to a reported number of approximately two breaches per day, totaling an alarming rate of more than 739 incidents annually. “As of the end of February 2024, the number of healthcare data breaches for the year was already nearly 100,” says Definitive Healthcare. 

How to identify a HIPAA breach

Identifying a HIPAA breach involves several systematic steps to ensure compliance with regulations and protecting patient information. Here’s a summary of the key steps:

Monitor access and usage logs

• Regularly review logs for electronic health records (EHR) systems and other PHI repositories.
• Look for unusual or unauthorized access patterns and access by unauthorized individuals.
  
  

Conduct regular audits

• Periodically audit PHI access and handling practices.
• Check for compliance with HIPAA policies, use of security measures, and adherence to access controls.
  
  

Investigate suspicious activities and reports

• Investigate reports of suspicious activities or potential breaches.
• Pay attention to incidents like lost or stolen devices, improper disposal of PHI, and emails sent to unintended recipients.
  
  

Evaluate unauthorized access and disclosures

• Assess incidents to determine if they meet the criteria for a breach.
• Consider the nature of the PHI involved, the unauthorized person, and whether the PHI was viewed or acquired.
  
  

Analyze and classify incidents

• Classify the incident based on the type (e.g., hacking, unauthorized access, theft/loss, improper disposal) and severity.

See also: HIPAA Compliant Email: The Definitive Guide

What to do if you suspect a breach

1. Identify and confirm the breach
   • Assess the situation: Determine if the incident qualifies as a breach under HIPAA. A breach is any impermissible use or disclosure of PHI that compromises its security or privacy.
   • Gather information: Collect all relevant information about the incident, including how it occurred, the data involved, and the individuals affected.
2. Contain and mitigate the breach
   • Stop the breach: Immediately take steps to stop any ongoing unauthorized access or disclosure of PHI.
   • Mitigation measures: Implement measures to mitigate any potential harm. This could involve retrieving disclosed information, enhancing security protocols, or providing additional training to staff.
3. Notify affected individuals
   • Notification requirement: Notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach.
   • Content of notification: Include a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, what your organization is doing to investigate and mitigate the breach, and contact information for further inquiries.
4. Notify the Department of Health and Human Services (HHS)
   • Breaches affecting fewer than 500 individuals: Report annually to the HHS Office for Civil Rights (OCR) within 60 days of the end of the calendar year in which the breach was discovered.
   • Breaches affecting 500 or more individuals: Notify the OCR without unreasonable delay and no later than 60 days from the breach's discovery. Public media notification may also be required.
5. Conduct a risk assessment
   • Four-factor analysis: Evaluate the nature and extent of the PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.
6. Review and improve security measures
   • Policy review: Reassess and update privacy and security policies and procedures to prevent future breaches.
   • Training: Provide additional training to employees on HIPAA compliance and security practices.
7. Documentation
   • Record keeping: Maintain documentation of the breach, notifications, and the actions taken to address it. This is crucial for compliance and potential audits.
8. Legal and professional advice
   • Consult experts: Engage with legal counsel or a HIPAA compliance expert to ensure all regulatory requirements are met and to seek advice on managing the situation effectively.

See also: What are the HIPAA breach notification requirements

FAQs

How can I monitor for potential HIPAA breaches?

Monitoring can be done through:

• Reviewing access and usage logs regularly.
• Conducting periodic audits of PHI handling practices.
• Using security tools like SIEM systems, DLP solutions, and IDPS to detect unusual activities and potential intrusions.

What is the difference between a security incident and a breach?

A security incident is a broader term that includes any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information. A breach is a specific type of security incident where PHI is accessed or disclosed in a way that compromises its security or privacy.

Go deeper: When does a HIPAA incident become a breach?

What is the difference between a security incident and a breach?

A security incident is a broader term that includes any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information. A breach is a specific type of security incident where PHI is accessed or disclosed in a way that compromises its security or privacy.