HIPAA Breach Notifications: Everything You Need to Know
USA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store or process Private Health Information (PHI). Part of the HIPAA legislation is the HIPAA Breach Notification Rule, which mandates that organizations report security breaches within 60 days of discovering them, to the authorities, individuals affected, and in some cases to the media.
To learn about similar requirements in European legislation, read our article on GDPR Breach Notifications.
The HIPAA Breach Notification Rule requires organizations that deal with health information to disclose cybersecurity breaches.
The Notification Rule applies both to Covered Entities – including healthcare organizations, medical practitioners and insurance companies – and Business Associates, who are organizations or individuals that provide services to the healthcare industry, and deal with Private Health Information (PHI).
HIPAA is a binding regulation for organizations operating in the USA, and noncompliance can result in fines ranging from $100 to $50,000 per violation, or per PHI record affected, with a maximum penalty of $1.5 million per year.
How does HIPAA Define a Breach Requiring Notification?
A breach is defined as a compromise of the security or privacy of PHI, unless there is a low chance that the protected health information was compromised.
HIPAA breach risk assessment
The probability of compromise should be evaluated based on the following factors:
What type of health information was involved, types of identifiers and the likelihood individuals can be re-identified based on the data
Who is the person accessing the PHI without authorization, or to whom the information was disclosed
Whether the PHI was actually received, viewed or used by the unauthorized person
Whether the risk has been mitigated – for example, there may have been a cybersecurity breach but the attack was remediated before PHI was transferred outside the organization.
The risk assessment is not mandatory. When a breach occurs, Covered Entities and Business Associates have two options:
Conduct a risk assessment and then decide whether to notify about the breach
Notify immediately without a risk assessment
Exceptions to the definition of a breach
HIPAA also defines the following exceptions to a breach – the following are security incidents that do not quality a breach under HIPAA:
Unintentional access or use of PHI by an employee, made in good faith and within the scope of their authority.
Accidental disclosure of PHI by an authorized person, to another person authorized to access the PHI, at the same organization or another organization that has authorized access to that data.
The organization has a good faith belief that the person who obtained the PHI cannot retain or make use of it.
HIPAA Data Breach Notification Requirements: What Do You Need to Do If You Are Breached?
The HIPAA Breach Notification Rule may require you to notify individuals affected by the breach, the secretary of the USA Office for Civil Rights (HHS/OCR), and/or the media.
Notify Affected Individuals
You must notify all affected individuals that their PHI was compromised
Notification must be performed by first-class mail, or by email if the individual agreed to electronic communication within 60 days of discovering the breach
If you don’t have contact details for 1-9 affected individuals, try an alternative communication method like phone, or other written notice.
If you don’t have contact details for over 10 persons, you may post a prominent notice on your company website’s homepage, or on major print or broadcast media in the individuals’ place of residence.
Notify the secretary
You must also notify the secretary of HHS/OCR o the breach. If the breach affected less than 500 individuals, you should maintain an annual breach log, and submit to the secretary within 60 days of the end of the calendar year. If it affected more than 500, you must notify the secretary during the same timeframe as you notify the affected individuals.
Notify the media
Media notification is only required if the breach involves more than 500 individuals in the same state or jurisdiction. In this case, you need to notify the media in that state or jurisdiction, by sending a press release with the same information you sent to the affected individuals in that same area. The time frame is also the same – within 60 days of discovering the breach.
Recent HIPAA Breach Examples
Following are a few examples of real organizations that were hit by security breaches, and were required to report them according to the Breach Notification Rule.
Dominion National is an insurer covering dental and vision medical treatment. Dominion discovered in 2019 that a breach occurred, probably as early as 2010. Attackers compromised servers that had demographic information about current and past patients. The breach affected 2.6 million patients.
American Medical Collection Agency (AMCA)
AMCA is a USA medical bill and debt collector. In 2019, it discovered attackers had compromised its systems for eight months, between 2018-2019. The same attack affected six HIPAA covered entities. At least 12 million patients were affected, and the data compromised was primarily personal and financial data from Quest Diagnostics, a lab testing company.
Wolverine provides outsourced statement processing to healthcare and other industries. It was hit by a ransomware attack in 2018, with six major healthcare organizations, including Blue Cross Blue Shield of Michigan, affected by the breach. 600,000 patients were affected.
UW Medicine integrates patient care and medical research for medical clinics. In 2018 it discovered that a server configuration issue resulted in exposure of its internal files to the public Internet. Exposed data included medical research, labs data, and personal data for 973,000 patients.
Zoll is a medical device vendor, which was breached in 2019. The cause was identified as a problematic server migration. During the migration, emails archived by a service vendor retained by Zoll were exposed, containing demographic data, dates of birth, and medical information, as well as some social security numbers. The breach affected 277,319 patients.
Cynet 360: End-to-End Security for HIPAA Compliance
Cynet 360 is a holistic security platform including monitoring and control, prevention and detection of attacks, response orchestration, and managed incident response services. HIPPA has requirements for organizations handling PHI, including policy, process, and technology requirements, across these groups: Risk Management, Protection from Malicious Software, Log-In Monitoring, Integrity, Response and Reporting, Audit Controls and Notification. Cynet 360 provides direct and supplemental support across all HIPPA groups.
Learn how the Cynet 360 platform helps you meet HIPPA requirements.