Access All Live + All On-Demand Trainings for 1 Year! SAVE $500 NOW

All Blogs

When Your Data Breach Doesn’t Need HIPAA Breach Reporting


Posted Sep 5, 2019
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

When Your Data Breach Doesn’t Need HIPAA Breach Reporting

Posted September 5, 2019
Share: Share on Facebook Share on Twitter Share on LinkedIn
HIPAA Breach Reporting needed or maybe just a data leak

It seems like you hear about HIPAA breach reporting more and more each year. And it’s true. As hackers become more advanced, breaching relatively unprotected healthcare data gets easier and easier.

Plus, healthcare data is particularly enticing. Unlike passwords or bank account information, healthcare data — like names, birth dates, and social security numbers — doesn’t change.

It can be used over long periods of time for malicious purposes. You hope it never happens to you — but what if it does? Like most practices, you probably want to stay compliant, so you do your legal duty and promptly report a HIPAA breach.

But did you ever consider that you could be reporting an incident that doesn’t meet the requirements for HIPAA breach reporting? Many practices do, and that means they’re doing more harm than good.

3 Reasons Unneeded HIPAA Breach Reporting Harms Your Practice

Reporting a breach that doesn’t qualify for HIPAA breach reporting doesn’t just mean you’ve taken on extra unnecessary steps and wasted your time and effort. Loss of productivity is always negative, but there are other problems that pop up when you file a HIPAA breach report:

  • Reporting incidents that don’t qualify as breaches could cost your practice thousands in unnecessary fines.
  • Your practice runs a much higher risk of being flagged for a more extensive HIPAA audit. This opens a can of worms that can result in additional fines and penalties for violations elsewhere in your practice.
  • Your practice’s risk exposure increases in the form of bad publicity, negative online reviews, and lost patients, plus added difficulties in new patient acquisition.

2013 Omnibus Rule Clues You into Needed HIPAA Breach Reporting

Unfortunately, many practices simply don’t know the specific requirements for an incident to rise to the level needing HIPAA breach reporting — and your practice might be one of them. The Omnibus rule, formally known as the HIPAA Privacy, Security, Enforcement and Breach Notification: Omnibus Rule, contains the clues.

According to the 2013 Omnibus rule — a compilation of revisions to four different final rules — a breach is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” However, just because PHI has been exposed doesn’t automatically mean that your practice has suffered a reportable data breach.

An Incident Review Process Assesses Suspected Incidents

The Omnibus rule contains several factors you must carefully consider in determining exactly what a data breach is and isn’t. If you can prove that there is a low probability that PHI was compromised, you’re in the clear. To determine that, answer the following four questions:

  1. What is the nature and extent of PHI involved? This includes figuring out the types of identifiers exposed and the likelihood the patient(s) could be identified. For example, did the breach involve financial information, medical histories, Social Security numbers, or dates of birth?
  2. Who inappropriately disclosed the PHI? Determine if it was an authorized or unauthorized individual, an employee, a business associate, or a third party. The Omnibus rule places additional responsibility on business associates.
  3. Who received or viewed the exposed PHI? Determine if the PHI was acquired or viewed; For example, if an email containing patients’ PHI was sent to the wrong party, can you verify that the individual opened the email? Or if that individual forwarded the information to anyone else?
  4. How have you mitigated the risk of exposing additional PHI? The OIG will want to know if you’ve already taken corrective action to lessen PHI exposure via security updates or other changes. For example, if an unencrypted smartphone was stolen, did you use remote-wiping software or did you install such software on other devices?

An Incident Response Plan Reduces Your Breach Cost

Data breaches cost healthcare organizations an average of almost $6.5 million, more than 60 percent higher than other industries, according to a recent study from IBM Security and the Ponemon Institute. But that doesn’t mean your practice is doomed to go bankrupt from a data breach.

A written, consistent incident response plan can help control the fallout — and the fines. In fact, organizations with a solid, tested incident response plan experienced $1.23 million less in breach costs than those that didn’t, according to the same study. An incident response plan can also help you identify and report breaches faster.

On average, it took the healthcare industry 236 days to identify a breach, and more than 80 days to contain it — almost two months longer than the average across other industries, states the IBM/Ponemon report. Unfortunately, most organizations — healthcare and otherwise — don’t have comprehensive incident response plans in place that account for all areas of the organization, including finance, HR, executives, and more. And it almost goes without saying — your appointed HIPAA security or compliance officer should be a part of any response plan you create.

3 Reasons Indicate You Might Not Require HIPAA Breach Reporting

The Omnibus’ definition of a data breach may be a mouthful, but one of the most important things to remember is that there are three exceptions. If an incident at your practice meets one of those exceptions, carefully reconsider whether you really have a reportable data breach on your hands. The three exceptions are:

  1. If the breach is unintentional and caused by an employee (or individual acting under the authority) of the covered entity or business associate, and the PHI is accessed or used “in good faith.”
  2. If an authorized individual accidentally discloses PHI to another individual who is authorized to access that PHI, provided the PHI is not used in a way that violates HIPAA.
  3. If you have a “good faith belief” that recipient of the PHI would not be able to retain the information, such as save or store the information in any way.

For more strategies on whether a data breach requires HIPAA breach reporting at all, you may be interested in an online training from HIPAA expert, Gina L. Campanella, Esq., FACHE. Gina breaks downs the key indicators you must know to determine if a reportable HIPAA breach has occurred, and helps you avoid the consequences of both over and under reporting.

Commonly Purchased HIPAA Breach Online Trainings and Resources