HIPAA Data Breaches
HIPAA has been on the books since 1996. With the advent of electronic health records, HHS adopted security regulations to require covered entities to protect the integrity, confidentiality, and availability of electronic personal health information (PHI).
The Security Rule was adopted in 2003 and includes data breach notification requirements. The Office of Civil Rights at HHS is responsible for enforcing the Security Rule and other HIPAA requirements.
The definition of a covered entity includes health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Covered entities must (1) ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; (2) identify and protect against reasonably anticipated threats to the security or integrity of the information; (3) protect against reasonably anticipated, impermissible uses or disclosures; and (4) ensure compliance by their workforce.4
HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments based on the following factors: (1) size, complexity, and capabilities; (2) technical, hardware, and software infrastructure; (3) costs of security measures, and (4) the likelihood and possible impact of potential risks to e-PHI.
A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.
Since 2008, HHS has reported that there have been over 800 breaches involving over 500 or more individuals, and 92,000 breaches involving fewer than 500 individuals. The total civil monetary penalties and resolution agreements total $18.6 million.
Interestingly, almost half of all the significant breaches have been the result of theft; almost 20 percent were the result of unauthorized access or disclosure, and 11 percent were caused by the loss of laptops, paper records, desktop computers or portable electronic devices.
In 2013, the five largest data breaches involved:
People Affected | Cause |
4,029,000 | 4 laptops stolen |
729,000 | 2 laptops stolen |
277,000 | Microfiche improperly disposed |
187,500 | Patient information mailed to other patients |
32,100 | Business Associate stored data on non-secured website |
The average cost of a general US data breach is approximately $200 per record.