Looking for a Business Associate Agreement? Download our FREE starter BAA template.

Total HIPAA Logo

2018 HIPAA Breaches So Far…

We’re almost halfway through 2018, and the year has already seen numerous HIPAA breaches, some affecting hundreds of thousands of people. So far this year, Health and Human Service’s Office for Civil Rights (HHS OCR) has received 161 reports of HIPAA-related breaches affecting over 500 individuals. All these organizations are currently under investigation. Where did they go wrong? Let’s take a closer look at how these recent HIPAA breaches add up, and how you can avoid being the next statistic.

HIPAA Breach Notification Requirements

All 156 breaches share common themes: the actions each organization took when their respective breaches were realized. The HIPAA Breach Notification Rule requires Covered Entities, Business Associates, and Business Associate Subcontractors to notify affected individuals, HHS, and in some cases, the media, and the state attorney general of a breach of unsecured Protected Health Information (PHI). After the discovery of a breach of over 500 people, covered entities must notify:

  • Affected individuals by written letter or email (if the affected individual has agreed) without unreasonable delay and in no case later than 60 days following the discovery of a breach.
  • Media if more than 500 individuals are affected.
  • HHS OCR Secretary without unreasonable delay and in no case later than 60 days following a breach.
  • The attorney general depending on the state laws. For example, California, Texas, Florida, Iowa, and Oregon require you to notify the attorney general if 500+ individuals’ information is breached. Check with your state; some have a lower threshold for notification, and you may be required to report smaller breaches.

Breached entities aren’t the only organizations required to take action following a breach. The HITECH Act requires that the HHS OCR Secretary post on the HHS OCR website a list of organizations that experience a breach of over 500 individuals’ PHI. The list’s formal name is Breach Report Results, but is often referred to as the “Wall of Shame.”

2018 HIPAA Breaches

No fines have been issued – yet. The following outlines specifics about the types of entities that have experienced a breach in 2018 and are currently under investigation:

  • The majority are healthcare providers
  • 26 of the reported breaches were health plans
  • 18 were business associates
  • 2 each impacted over 500,000 people
  • 3 impacted between 100K and 300K people
  • 35 involved tens of thousands of individuals
  • 58 have experienced a hacking/IT incident
  • 7 completely lost the PHI they were to protect
  • 69 have experienced unauthorized access/disclosure (largest type of breach)
  • 23 have experienced the theft of a desktop computer, laptop or other portable devices, or paper/films
  • 42 Business Associates were present when the breaches occurred

Prevent Your Own HIPAA Breach

What can we take away from the breaches that have occurred this year? One of the most important things that stand out is – breaches can and do occur to healthcare providers, employer groups (healthcare plans), insurance agencies, business associates and business associate subcontractors. No one type of covered entity or business partner is immune. How can you help prevent a breach of your own? There are several steps to become HIPAA compliant, but five simple steps you should implement include:

  • Perform annual risk assessments,
  • Encrypt data and password protect hardware,
  • Encrypting emails with PHI,
  • Protect paper, electronic and verbal communication that has PHI, and
  • Providing regular HIPAA training to employees.

Get to know HIPAA law requirements – the rules protect your business as much as they protect your clients.

  1. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  2. https://www.healthcareitleaders.com/blog/6-simple-steps-to-prevent-a-hipaa-breach/
  3. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)