What is a HIPAA Data Breach?

In general, a HIPAA data breach is an impermissible use or disclosure that compromises the security or privacy of PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity can show there is a low probability the PHI has been compromised based on a risk assessment of at least the following four factors:⁴

1. The nature and extent of the PHI involved in the use or disclosure, including the types of identifiers and the likelihood that PHI could be re-identified (e.g., aggregated PHI vs. complete, intact patient records)
2. The unauthorized person who used the PHI or to whom the disclosure was made (e.g., whether the inadvertent disclosure was made to another covered entity regulated under HIPAA vs. a hacker)
3. The likelihood that any PHI was actually acquired or viewed (e.g., an audit trail shows there has been no access to the databases at risk vs. a stolen laptop with PHI stored on the hard drive where access cannot be determined)
4. The extent to which the risk to the PHI has been mitigated (e.g., encryption keys are promptly changed and network access monitoring shows no access vs. lost device with no opportunity to determine whether access has occurred)

When performing this assessment, a covered entity must address each element separately and then analyze the combined four elements to determine the overall probability that PHI has been compromised. If this assessment indicates there is low likelihood of compromised PHI, then the use or disclosure may not be classified as a HIPAA breach, and notification may not be required. If, on the other hand, the covered entity is unable to overcome the presumption of a breach and show that there is a low likelihood that the PHI was compromised, then breach notification may be required.⁴

HIPAA Data Breach Safe Harbor and Exceptions

Whether a privacy or security incident is a HIPAA breach depends on the nature of the PHI and the circumstances of the use or disclosure. Included in the HIPAA regulations is a critical safe harbor: If an impermissible use or disclosure involves PHI that has been rendered unusable, unreadable, or indecipherable (i.e., encrypted or remotely cleared, purged or destroyed), it does not rise to the level of a breach and, therefore, does not require notification.⁴

If the incident involves unsecured PHI, but the disclosure falls into one of three narrow breach exceptions, notification is similarly not required. According to the HHS website: "The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information."⁵

HIPAA Breach Notification

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.⁵ Covered entities must notify affected individuals, HHS and at times the media about the HIPAA breach. To whom and when notification must occur primarily depends on the number of individuals affected by the breach. If there is a breach of unsecured PHI that affects 500 or more individuals, the covered entity must notify the individuals and HHS without reasonable delay, and no later than 60 days after the covered entity discovers the breach. Once notified, HHS posts the breach on the HHS Office for Civil Rights (OCR) Breach Portal Website, which is available at: https://ocrportal.hhs.gov... (accessed 10/26/2015). The OCR is responsible for investigating breach incidents to determine if they were the result of HIPAA violations. OCR investigations may be initiated based on complaints, breach reports, information from other government agencies or reports in the media.

HIPAA Breach Analysis Flowchart

The following flowchart outlines how a privacy or security incident is analyzed to determine whether a HIPAA breach has occurred.

In addition to federal HIPAA regulations, covered entities may also have to comply with state data breach laws. State laws vary on what triggers a breach notification obligation and the nature of breach notification obligations. This publication focuses on federal data breach notification laws. The Health Information & the Law website has an interactive map that provides links to state health data security and breach notification laws, which is available at: www.healthinfolaw.org/state (accessed 10/25/2015).

Case One

At a busy family practice office, a medical assistant was tasked with reviewing 100 random patient records for quality purposes. Because she was about to miss her deadline for the project, she downloaded the records onto her laptop so she could work on the project over the weekend. She put her laptop in her car trunk and met friends for dinner on the way home. While she was having dinner, her laptop was stolen. The data on the laptop were not encrypted and there was no password protection.

HIPAA Breach Analysis

Q. Was PHI involved?
A. Yes. Full medical records were being stored on the laptop.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?
A. No. 

Q. Does one of the three disclosure exceptions apply?
A. No. Theft of a computer/storage device is not considered an exception.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)
1. Type of PHI: The information was very sensitive and included numerous patient identifiers. There was a high possibility the PHI could be used by an unauthorized recipient in a manner adverse to the patients, or could be used to further the unauthorized recipient's own interests.
2. Who took it/received it: Unknown
3. Ease of access: Whether the medical information was viewed was unknown, but because there was no password protection on the computer, the chance that the PHI could be viewed was high.
4. Mitigation: There was no way to assure the PHI would not be used.

Case Two

At a community clinic, a nurse practitioner (NP) carried a laptop computer with her, using it to enter patient information into the electronic health record (EHR) as she examined patients. Between patients, she left her laptop at the nurses’ station while she went to get a cup of coffee in the break room. When she returned, the laptop was gone. The laptop required a password to sign on. Although the NP accessed patient records from the laptop, no PHI was stored on the device’s hard drive. In order to access the patient records, she had to sign on to the EHR system with a unique user name and password. She immediately reported to the office administrator that the laptop had been stolen. The administrator immediately disabled the NP’s user account. Although the laptop was never recovered, the administrator monitored the EHR system to determine whether anyone had attempted to sign on with the NP’s credentials, and no one had.

HIPAA Breach Analysis

Q. Was PHI involved?
A. Yes. PHI could be accessed from the device, but there was no PHI stored on the device.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?
A. No. 

Q. Does one of the three disclosure exceptions apply?
A. No. Theft of a computer/storage device is not an exception.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)
1. Type of PHI: The information was very sensitive and included numerous patient identifiers. There was a high possibility the PHI could be used by an unauthorized recipient in a manner adverse to the patients or could be used to further the unauthorized recipient's own interests.
2. Who took it/received it: Unknown
3. Ease of access: Because the computer was password protected, did not store any PHI and required additional password sign-in to access the EHR, the chance that PHI could be accessed was low.
4. Mitigation: The office administrator moved quickly to disable the NP's user account, which would most likely prohibit the thief from being able to access the community clinic patient records.

Laptop Theft Prevention

The Federal Trade Commission suggests an individual think of his or her computer as cash on the table or an open wallet sitting on the back seat of a car.⁹ Consider the following strategies to safeguard laptops:^8,9

• If a laptop must be left unattended, lock it to something heavy with a laptop security cable.
• Make computers personally identifiable with permanent markings or engravings.
• Install a computer alarm that activates when the computer is moved out of a particular range.
• Install a program that tracks the location of a stolen computer.
• When going through airport security, keep your laptop and phone with you until the last minute, then visually track them and retrieve them immediately.
• When staying in a hotel, lock your laptop in the safe, lock it to something heavy or take it with you.
• Do not leave your laptop in a car.
• Do not use a laptop bag; consider using a bag that hides the fact that there is a laptop in it.
• Encrypt your computer's hard drive.
• Keep your laptop password protected and do not store passwords with, in or on it.
• If you have to put your laptop on the floor, place it between your legs so you remember it.
• Institute “clean desk” policies for employees, requiring secure physical locations for devices both during and outside of standard work hours.

Case Three

A staff member at a large health facility saved the PHI of 600 patients on a flash drive for a diabetes management outreach project. A couple of weeks later, when she returned to the task, she could not find the flash drive. A thorough search of her office did not turn up the missing flash drive, and it was presumed lost.

HIPAA Breach Analysis

Q. Was PHI involved?
A. Yes.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?
A. No. The PHI was not secured.

Q. Does one of the three disclosure exceptions apply?
A. No. Theft, loss or misplacement of a storage device is not an exception.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)
1. Type of PHI: The information was sensitive and included numerous patient identifiers.  There was a high possibility the PHI could be used by an unauthorized recipient in a manner adverse to the patients or could be used to further the unauthorized recipient's own interests.
2. Who took it/received it: Unknown
3. Ease of access: Because the PHI on the flash drive was not encrypted or otherwise secured, the chance the PHI could be accessed was high.
4. Mitigation: Nothing could be done to mitigate the potential misuse of the information.

The notice to the patients had to be written in "plain language" and include:
A. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
B. A description of the types of unsecured PHI that were involved in the breach
C. Any steps individuals should take to protect themselves from potential harm resulting from the breach
D. A brief description of steps the covered entity is taking to investigate the breach, to mitigate harm to individuals (including providing identity theft protection services for those affected), and to protect against any further breaches
E. Contact procedures for individuals to ask questions, including a toll-free telephone number, email address, website or postal address.

Because over 500 patients lived in the same state, the covered entity also had to send major media outlets in that state a notification (i.e., a press release) that included the same information sent to patients. Furthermore, the practice's report to HHS was posted on the OCR Breach Portal. In addition to complying with federal requirements to notify HHS and patients, the covered entity had to follow applicable state regulations. The state where the breach took place had PHI data breach statutes and regulations in place that required an additional notification to the state department of health, which was required on an expedited basis.

Creating mobile device policies can be tricky. Burdensome security policies and strategies that diminish productivity will most likely result in workarounds that defeat security efforts.^*,† Additionally, human error and criminal intent can defeat the best-intentioned employee laptop and storage device security strategies. However, taking the focus off securing the device and putting it on securing the PHI can take data security out of the hands of the workforce and place it in the control of the Information Technology (IT) department, which, arguably, is where it should be. Encryption can secure PHI as it moves though the information stream and into computers and mobile devices. Encrypted PHI is less likely to be compromised if devices are lost, stolen or nefariously accessed. Additionally, there are various technologies available on the market that can dynamically detect and redact PHI and block sensitive information from being downloaded to certain devices.^*

Bring Your Own Device (BYOD) Policies

A Bring Your Own Device (BYOD) Policy should be put in place when administrators, clinicians and staff are allowed to use personally owned devices (e.g., laptops, tablets, smartphones) to access, manipulate, use, copy, store or move PHI. BYOD issues are a major source of data security breaches.^† Many device users don't even realize when they are exposing PHI to a security breach. For example, various apps don't store content on a device, they store it in the cloud. In many apps, the content is stored in the cloud by default, which requires device users to disable the cloud storage function if they don't want data to be held there. When users don't disable cloud storage, PHI can exist in multiple locations on cloud servers that cannot be controlled by the covered entity that is responsible for the security of the PHI. Covered entities that allow BYOD should develop and implement a policy defining how PHI must be protected, what steps must be taken if a personally owned device that potentially contains PHI is lost or otherwise compromised and the personal consequences of violating the BOYD policy.^†,‡

A BYOD policy and a personal device user agreement are available for policyholders through MyAccount in the DataShield^® Learning Center collection of policies, or by contacting a NORCAL Risk Management Specialist at 855.882.3412.

Resources

* Bitglass. 2014 Bitglass Healthcare Breach Report. Available for download from http://pages.bitglass.com... (accessed 10/26/2015).
† Pennic J. 68% of Healthcare Data Breaches Due to Device Loss or Theft, Not Hacking. HIT Consultant. Available at: http://hitconsultant.net... (accessed 10/26/2015).
‡ TVirtu. HIPAA Email Compliance — Why it's Crucial for Enterprise IT.14 Aug 2015. VirtuBlog Available at: www.virtru.com... (accessed 10/26/2015).

Case Four

A family practice group had a business associate agreement with a billing company. An employee in the billing company sent an email with an attachment that contained patient information for 70 patients to an incorrect email address. Public records indicated the email address was active, but attempts to contact the individual associated with the email address were unsuccessful.

HIPAA Breach Analysis

Q. Was PHI involved?
A. Yes.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?
A. No. The PHI was unsecured.

Q. Does one of the three disclosure exceptions apply?
A. No. Although the transmission of the PHI to the incorrect email address was inadvertent, the PHI was sent to an individual who was not associated with the group or its business associates who could have accessed the PHI.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)
1. Type of PHI: The information in the email was sensitive and included numerous patient identifiers. In the wrong hands, there was a high possibility the PHI could be used in a manner adverse to the patients or could be used to further the unauthorized recipient's own interests.
2. Who took it/received it: The data exposure was inadvertent, but whether the PHI would be further disseminated was unknown because the owner of the email address did not respond to inquiries.
3. Ease of access: The PHI was not encrypted and could be easily accessed.
4. Mitigation: There was nothing the practice could do to mitigate the potential misuse of the PHI.

In the foregoing case, the breach was caused by a business associate, but it just as easily could have been caused by an in-house billing department. The HIPAA Security Rule does not prohibit the inclusion of PHI in email, but the HIPAA standards for access control, integrity and transmission security require covered entities and their business associates to have policies and procedures in place that protect the security of PHI in email. If email is not encrypted, HIPAA requires a risk assessment of how the integrity of the PHI will be protected. Consider the following recommendations:¹¹

• Encrypt email.
• Put a disclaimer on email to mitigate a security breach if PHI is sent an unintended recipient. For example:

  This email message and any attachment(s) transmitted with it are intended only for the use of the recipient(s) named above. This message may contain privileged and confidential information, including patient information protected by federal and state privacy laws. If you are not an intended recipient, you may not review, copy or distribute this message. If you have received this message in error, please notify the sender immediately by reply email and delete the original message.

• Employ interactive software (e.g., a pop-up box) that prevents or warns the sender when he or she is emailing PHI. Remind the sender to double check the email address.
• Give patients the option of receiving unencrypted email only after they had been advised of and consented to the risk of data breach.
• The HHS website answers questions about email communication with patients at: www.hhs.gov... (accessed 10/26/2015).
• Include email security requirements in business associate contracts.

Case Five

A receptionist at an obstetrics and gynecology group accessed the records of her ex-husband's new girlfriend, who was a patient. The receptionist discovered in the records that the patient had a record of treatment for sexually transmitted diseases (STDs). The receptionist downloaded portions of the patient's record detailing the STD treatment and later anonymously emailed the records to her ex-husband. The ex-husband confronted the patient, who reported the privacy violation to the group. The group's IT department was able to identify the receptionist as the culprit, and she was fired.

HIPAA Breach Analysis

Q. Was PHI involved?
A. Yes.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?
A. No.

Q. Does one of the three disclosure exceptions apply?
A. No.

Q. Is there a low probability that PHI has been compromised?

A. The compromise of PHI was established, and because none of the exceptions applied the attorneys who reviewed this case determined a breach had occurred and notification of the affected patient and the HHS was necessary. The patient had to be informed no later than 60 days after the breach was discovered (although she already knew all about it). Because the breach involved fewer than 500 patients, the group was required to report it to HHS not later than 60 days after the end of the year.

Comprehensive and effective staff/clinician policies are the backbone of an effective security strategy. However, the best policies can't be successful if employees aren't aware of them or do not follow them. Therefore, covered entities need to train all clinicians and staff on PHI security and breach policies and protocols and consistently enforce violations. Consider the following recommendations: ^12,13

• Provide clinician and staff training initially and then annually on PHI security.
• AHIMA provides guidance on HIPAA security and privacy training at: http://library.ahima.org... (accessed 10/26/2015).
• Ensure clinicians and staff understand PHI security policies and protocols.
• Ensure clinicians and staff understand their responsibilities and roles in protecting PHI security, the various sensitivity levels of information and how PHI should be accessed, stored and transmitted.
• Require staff to sign confidentiality agreements.
• Enforce PHI security policies consistently among clinicians, staff and administrators. (HIPAA requires all covered entities to have sanction policies and procedures in place and to take actions against workforce members who do not comply with them.)
• Inform individuals working with PHI that accessing PHI for reasons not related to their job functions is a violation of state and federal privacy law.
• Consider using a pop-up box warning users they are accessing PHI and all accesses are being audited (if true).

• Limit clinician and staff access to the data they need to perform their job functions. (E.g., there was no reason for the receptionist in Case Five to have access to patient progress notes.)
• Ensure clinicians and staff are prepared to appropriately respond to a suspected data breach.
• Constantly audit systems to discover improper access.
• Monitor for and resolve inappropriate user ID and password sharing.

Sample Policies, Plans and Agreements

NORCAL Mutual policyholders have access to the DataShield^® Learning Center through their MyAccount, which contains numerous policies, plans and agreements related to information security, including:

• Acceptable Use Policy
• Mobile Device Security Policy
• Bring Your Own Device (BYOD) Policy
• Removable Media Policy
• Remote Access Agreement Form
• Personal Device User Agreement
• HIPAA Security Rule Policies & Procedures
• HIPAA Sanction Policy Guidelines

Hackers

A review of the data on the OCR Breach Portal indicates that only about 10 percent of healthcare data breaches are the result of hacking, but they involve large numbers of records.⁶ Unfortunately, hacks targeting healthcare data are increasing in frequency. There are various causes driving the increase. For example, electronic health records are far more valuable on the black market than credit card information. They are more valuable in part because they contain more information (e.g., health insurance policy information and drug prescription information, which have various uses independently and in combination with the other common information in health records). Additionally, patients are less likely to notice their PHI is being misused than they are to notice unauthorized charges on their credit card, which usually results in closing an account and significantly diminishing the value of the stolen information. Patients can't close their health records and start over. The information can be used indefinitely.¹⁴ Finally, healthcare entities are often easier to hack into than financial institutions and retailers because electronic recordkeeping is relatively new to the healthcare industry and fraud is frequently not treated with the same priority as it is in financial or retail institutions. This has resulted in less sophistication in data security tools and strategies used among healthcare providers.¹⁵

Hackers can strike anywhere. They access PHI through various avenues, including email servers, EHR systems, network servers and portable devices connected to various servers. The HHS website reports hacking incidents affecting numerous healthcare entities, from solo practice physicians to university hospitals to nationwide health insurers. Hackers, when they can be identified, range from disgruntled employees attempting to divert patients to competitors to sophisticated offshore hacking rings that presumably steal health data to sell on the black market.¹⁰

Just like laptop or cellphone theft, hacking seems inevitable. The most sophisticated perimeter defense (programs to keep hackers out of the system, e.g., firewalls) is unlikely to completely prevent hackers from getting into data systems. Data security experts advocate for increased efforts in deterring hackers from extracting data from systems they have accessed or have attempted to access.  One way to accomplish this objective is by applying security controls at various layers, such as implementing intrusion prevention software at the network perimeter, in addition to deploying monitoring software inside the perimeter that is designed to alert on anomalous PHI access attempts. A third layer and example would be applying encryption to all PHI, thus reducing the risk of exposure if other efforts are thwarted and the PHI is extracted.

Encryption

Failure to adequately safeguard PHI can result in costly and time-consuming forensic investigations to determine whether and to what extent data may have been accessed. PHI encryption is a way to avoid these difficulties. If PHI is appropriately encrypted, there is a low probability that anyone other than the intended party who has the private key will be able to decrypt and ultimately decipher the contents. Using strong encryption may be the most efficient and effective means to avoid HIPAA data breach, as the rule makes clear that impermissible use or disclosure of PHI encrypted pursuant to HIPAA guidelines is not considered a breach.^16,17

HIPAA defines encryption as "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of confidential process or key."¹⁸ Data at rest (i.e., data stored in work stations, laptops, tablets, phones, flash drives, or external hard drives) and data in motion (i.e., data in a non-persistent state that is in transit across the Internet,

wireless networks and connections, etc.) are addressed separately in HIPAA encryption guidance.¹⁷ According to the Breach Notification Rule, the proper standards for encrypting data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, available at http://csrc.nist.gov... (accessed 10/28/2015).¹⁷ The appropriate standards for encrypting data in motion are consistent with any of the following NIST publications:¹⁹

• 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations. Available at: http://nvlpubs.nist.gov... (accessed 10/26/2015)
  
• 800-77, Guide to IPsec VPNs. Available at: http://csrc.nist.gov... (accessed 10/26/2015)
• 800-113, Guide to SSL VPNs. Available at: http://csrc.nist.gov... (accessed 10/26/2015)
• 140-2, Security Requirements for Cryptographic Modules. Available at: http://csrc.nist.gov... (accessed 10/28/2015)

Avoiding HIPAA Data Breach

Consider the following general strategies for avoiding and mitigating data breach:^4,20

Educate Staff and Clinicians

• Know what state and federal health data security laws require.
• Educate clinicians, staff and administrators on responding to a data security incident.
• AHIMA provides guidance on HIPAA security and privacy training at: http://library.ahima.org... (accessed 10/26/2015).
• Educate clinicians and staff about proper protocol when handling PHI on a mobile device.
• The HHS HealthIT website has two different computer games created for training healthcare clinicians and staff on HIPAA device security. The games can be accessed at: www.healthit.gov...  (accessed 10/26/2015).

Assess Data Security Risk

• Perform thorough HIPAA risk assessments on a regular basis.
• Analyze all sources, systems, movement and storage of PHI.
• Document the results of the risk assessment.
• Implement additional safeguards to address any security risks identified.

Mitigate Data Security Risk

• Imagine all of the ways data can be inappropriately accessed, and put up road blocks.
• Encrypt all PHI.
• Install software to remotely wipe PHI and disable passwords in case of device loss or theft.
• Require authentication to access mobile devices, including complex passwords or biometric measures.
• Encrypt email and text messages.
• Install software to stop viruses and malware.

Monitor for Security Breach

• Implement a data activity monitoring system to alert IT to potential security threats. The HHS OCR HIPAA Audit Protocol provides guidance for determining monitoring protocols. It is available at: www.hhs.gov... (accessed 10/26/2015).

Respond to Security Incidents

• Have a documented data security incident response plan in place.
• Identify who is on the incident response team and what actions they will take to address the incident.
• Report security incidents to the covered entity's information technology/security department and the NORCAL Mutual Claims Department at 844.4NORCAL.
• Notify affected patients and the appropriate regulatory agencies in the manner advised by your attorney.

Every data security incident is unique (despite seemingly similar fact patterns) and federal and state data security breach regulations are constantly evolving and changing. It is important to stay current with breach notification requirements. Because breach notification is time sensitive, immediate action is frequently required. Although HIPAA generally allows 60 days for notifying patients and regulatory agencies about a breach, state law may require shorter notification periods, and determining the breadth of a security incident may involve hiring outside IT professionals, which can be time consuming.

The first step in preventing a costly security breach from having an impact on your practice is to take HIPAA compliance seriously. Know the rules and ensure employees, consultants and business associates are all on the same page about PHI security, recognizing and reporting potential security breaches in a timely manner and enforcing data security policies and protocols. Unfortunately, one forgetful or malicious individual can cause a data breach at a practice with comprehensive data security policies, protocols and education programs. Some of the key ways to most effectively avoid data breaches are: adopting widespread encryption, performing comprehensive risk assessments periodically and focusing on appropriate controls with regard to laptops and portable media.

| Specials thanks to Ross C. D'Emanuele, Partner, Dorsey & Whitney, LLC, and Kelly Nicholson, Systems Engineer, Security, NORCAL Group, for reviewing this article.