USA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store or process Private Health Information (PHI). Part of the HIPAA legislation is the HIPAA Breach Notification Rule, which mandates that organizations report security breaches within 60 days of discovering them, to the authorities, individuals affected, and in some cases to the media.
To learn about similar requirements in European legislation, read our article on GDPR Breach Notifications.
In this article you will learn:
The HIPAA Breach Notification Rule requires organizations that deal with health information to disclose cybersecurity breaches.
The Notification Rule applies both to Covered Entities – including healthcare organizations, medical practitioners and insurance companies – and Business Associates, who are organizations or individuals that provide services to the healthcare industry, and deal with Private Health Information (PHI).
HIPAA is a binding regulation for organizations operating in the USA, and noncompliance can result in fines ranging from $100 to $50,000 per violation, or per PHI record affected, with a maximum penalty of $1.5 million per year.
A breach is defined as a compromise of the security or privacy of PHI, unless there is a low chance that the protected health information was compromised.
HIPAA breach risk assessment
The probability of compromise should be evaluated based on the following factors:
The risk assessment is not mandatory. When a breach occurs, Covered Entities and Business Associates have two options:
Exceptions to the definition of a breach
HIPAA also defines the following exceptions to a breach – the following are security incidents that do not quality a breach under HIPAA:
The HIPAA Breach Notification Rule may require you to notify individuals affected by the breach, the secretary of the USA Office for Civil Rights (HHS/OCR), and/or the media.
Notify Affected Individuals
Notify the secretary
You must also notify the secretary of HHS/OCR o the breach. If the breach affected less than 500 individuals, you should maintain an annual breach log, and submit to the secretary within 60 days of the end of the calendar year. If it affected more than 500, you must notify the secretary during the same timeframe as you notify the affected individuals.
Notify the media
Media notification is only required if the breach involves more than 500 individuals in the same state or jurisdiction. In this case, you need to notify the media in that state or jurisdiction, by sending a press release with the same information you sent to the affected individuals in that same area. The time frame is also the same – within 60 days of discovering the breach.
Following are a few examples of real organizations that were hit by security breaches, and were required to report them according to the Breach Notification Rule.
Dominion National is an insurer covering dental and vision medical treatment. Dominion discovered in 2019 that a breach occurred, probably as early as 2010. Attackers compromised servers that had demographic information about current and past patients. The breach affected 2.6 million patients.
American Medical Collection Agency (AMCA)
AMCA is a USA medical bill and debt collector. In 2019, it discovered attackers had compromised its systems for eight months, between 2018-2019. The same attack affected six HIPAA covered entities. At least 12 million patients were affected, and the data compromised was primarily personal and financial data from Quest Diagnostics, a lab testing company.
Wolverine provides outsourced statement processing to healthcare and other industries. It was hit by a ransomware attack in 2018, with six major healthcare organizations, including Blue Cross Blue Shield of Michigan, affected by the breach. 600,000 patients were affected.
UW Medicine integrates patient care and medical research for medical clinics. In 2018 it discovered that a server configuration issue resulted in exposure of its internal files to the public Internet. Exposed data included medical research, labs data, and personal data for 973,000 patients.
Zoll is a medical device vendor, which was breached in 2019. The cause was identified as a problematic server migration. During the migration, emails archived by a service vendor retained by Zoll were exposed, containing demographic data, dates of birth, and medical information, as well as some social security numbers. The breach affected 277,319 patients.
Cynet 360 AutoXDR™ is a holistic security platform including monitoring and control, prevention and detection of attacks, response orchestration, and managed incident response services. HIPPA has requirements for organizations handling PHI, including policy, process, and technology requirements, across these groups: Risk Management, Protection from Malicious Software, Log-In Monitoring, Integrity, Response and Reporting, Audit Controls, and Notification. Cynet 360 AutoXDR™ provides direct and supplemental support across all HIPPA groups.
Learn how the Cynet 360 AutoXDR™ platform helps you meet HIPPA requirements.