We’re almost halfway through 2018, and the year has already seen numerous HIPAA breaches, some affecting hundreds of thousands of people. So far this year, Health and Human Service’s Office for Civil Rights (HHS OCR) has received 161 reports of HIPAA-related breaches affecting over 500 individuals. All these organizations are currently under investigation. Where did they go wrong? Let’s take a closer look at how these recent HIPAA breaches add up, and how you can avoid being the next statistic.
HIPAA Breach Notification Requirements
All 156 breaches share common themes: the actions each organization took when their respective breaches were realized. The HIPAA Breach Notification Rule requires Covered Entities, Business Associates, and Business Associate Subcontractors to notify affected individuals, HHS, and in some cases, the media, and the state attorney general of a breach of unsecured Protected Health Information (PHI). After the discovery of a breach of over 500 people, covered entities must notify:
- Affected individuals by written letter or email (if the affected individual has agreed) without unreasonable delay and in no case later than 60 days following the discovery of a breach.
- Media if more than 500 individuals are affected.
- HHS OCR Secretary without unreasonable delay and in no case later than 60 days following a breach.
- The attorney general depending on the state laws. For example, California, Texas, Florida, Iowa, and Oregon require you to notify the attorney general if 500+ individuals’ information is breached. Check with your state; some have a lower threshold for notification, and you may be required to report smaller breaches.
Breached entities aren’t the only organizations required to take action following a breach. The HITECH Act requires that the HHS OCR Secretary post on the HHS OCR website a list of organizations that experience a breach of over 500 individuals’ PHI. The list’s formal name is Breach Report Results, but is often referred to as the “Wall of Shame.”
2018 HIPAA Breaches
No fines have been issued – yet. The following outlines specifics about the types of entities that have experienced a breach in 2018 and are currently under investigation:
- The majority are healthcare providers
- 26 of the reported breaches were health plans
- 18 were business associates
- 2 each impacted over 500,000 people
- 3 impacted between 100K and 300K people
- 35 involved tens of thousands of individuals
- 58 have experienced a hacking/IT incident
- 7 completely lost the PHI they were to protect
- 69 have experienced unauthorized access/disclosure (largest type of breach)
- 23 have experienced the theft of a desktop computer, laptop or other portable devices, or paper/films
- 42 Business Associates were present when the breaches occurred
Prevent Your Own HIPAA Breach
What can we take away from the breaches that have occurred this year? One of the most important things that stand out is – breaches can and do occur to healthcare providers, employer groups (healthcare plans), insurance agencies, business associates and business associate subcontractors. No one type of covered entity or business partner is immune. How can you help prevent a breach of your own? There are several steps to become HIPAA compliant, but five simple steps you should implement include:
- Perform annual risk assessments,
- Encrypt data and password protect hardware,
- Encrypting emails with PHI,
- Protect paper, electronic and verbal communication that has PHI, and
- Providing regular HIPAA training to employees.
Get to know HIPAA law requirements – the rules protect your business as much as they protect your clients.