With the implementation of new technologies, adoption of electronic health record technology and association with health information exchanges, more healthcare organizations are exposing themselves to HIPAA data breaches and other online threats. In this scenario Protected Health Information (PHI), in addition to being available to the concerned people, is also becoming more and more accessible to hackers and unauthorized third parties. This means covered entities and business associates need to stay updated about the advancing technologies to maintain PHI security. Understanding the basics and underlying reasons for HIPAA data breach is the first step in creating comprehensive data security plans which the healthcare organizations can apply to their daily operations.
Defining PHI Breach as per HIPAA Regulations
There are four factors which can be included in the risk assessment to determine if the PHI has been compromised or not. First is to determine the nature and extent of PHI involved. Second is to identify the unauthorized individuals who used the PHI. The third is to find out if the PHI was actually viewed or acquired. Fourth is determining to what extent the risk to PHI has been mitigated.
As per the Department of Health & Human Services (HHS), there are three exceptions to the definition of a data breach.
If a person acting under the authority of a covered entity or business associate acquires or accesses PHI unintentionally, in good faith, then it cannot be considered as a HIPAA breach.
It applies to unintentional disclosure of PHI by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate or any organized health care arrangement in which the covered entity participates.
If the concerned covered entity or business associate has a good faith that the unauthorized entity, which received the PHI, would not have been able to retain the data, it is not a HIPAA breach.
HIPAA Breach Notification Rule also states that the notification requirement is applicable to unsecured PHI or to the PHI that has not been rendered unreadable, unusable or indecipherable to unauthorized persons through the use of methodologies or technologies specified by the Secretary in guidance.
Ransomware Attacks and HIPAA Breach
Many healthcare organizations are facing ransomware attacks and this makes it important to know if ransomware attacks are considered HIPAA data breach or not. However, there is no direct answer as ‘yes’ or ‘no’ to this. There could be several arguments in this regard. One can say that even if the computer network having PHI has been accessed and the data has been encrypted, it hasn’t been necessarily obtained or viewed by the unauthorized third party. Although the PHI was made inaccessible, there is no surety that the third party actually did anything with the PHI.
However, the definition of breach, as per HHS, is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” And thus when PHI is encrypted due to ransomware attack it does translate to a breach because the PHI was acquired (having control or possession of the information) by unauthorized individuals which are considered as ‘disclosure’ under the HIPAA Privacy Rule and is not permitted.
In July 2016, ransomware guidance was released by the department’s Office for Civil Rights (OCR) to help covered entities and business associates understand the strategies for keeping PHI safe in such attacks. OCR also suggests that “if the electronic PHI (ePHI) is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer ‘unsecured PHI,’ then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”
However, the guidance also states that even if the data is encrypted, there should be further analyzed to determine if the PHI has actually been rendered “unusable, unreadable, and indecipherable” to unauthorized individuals.
Consequences of HIPAA Data Breach
Consequences of HIPAA data breaches may include hefty fines. Anything like not adhering to HIPAA security rule or lack of risk assessment on the part of healthcare organizations could be the key determining factor for OCR in deciding the punishment for health data breach. Apart from the identification of vulnerabilities and risks to the electronic Protected Health Information (ePHI), the covered entities must also implement appropriate and reasonable safeguards to address them with an appropriate time frame. Business associates must also comply with the HIPAA regulations.