HIPAA Security Incidents and Breaches

by Jodie Cannon, BS

Many people believe that a HIPAA breach automatically leads to investigations and fines.  This is not necessarily the case. The purpose of the HIPAA Security Rule and the goal of HIPAA compliance is to position your organization to minimize the chance of a breach and to properly deal with a breach if one occurs.  That said, it is impossible to eliminate all possibility of a breach. For example, the actions of your employees and Business Associates are completely out of your control. Again, HHS (Health & Human Services) and the OCR (Office for Civil Rights) are not expecting perfection.  In fact, it is estimated that if you have 10,000 records in your office, chances are 1 in 3 that you will have a breach – so odds are you will have one sooner or later. This article is designed to examine security incidents and breaches and determine how to deal with them.

What constitutes a security incident?  Anytime the Security Officer suspects that somehow ePHI (electronic Protected Health Information) was disclosed in an unauthorized fashion, it is considered a Security Incident.  The Security Incident must be investigated before it is determined to be a breach.

Suppose a laptop is lost or stolen.  Is that a breach? Maybe or maybe not.  An internal investigation needs to be launched.  Was there ePHI on the laptop? Was the laptop encrypted?  Could the laptop be remotely wiped? Only after these questions and others are answered can you determine whether there was a breach.  For instance, if the laptop was encrypted, that is considered “Safe Harbor” under HIPAA, and there is no reportable breach. Since security incidents do not happen every day, we recommend that you do the following if you have one:  Contact Modern Practice Solutions!  We will guide you through the next steps and assist you with your Breach Determination & Risk Assessment Documentation form.

Let’s return to the lost laptop example.  Assume the laptop was not encrypted and you determine that there was a breach.  What then? Again, we would guide you through the process, but generally, the steps are:

• Determine the extent of the breach – how many individuals are affected?
• Report the breach to HHS/OCR
• Inform the affected individuals
• Review the breach and determine what changes in policies, procedures or processes are necessary to prevent this from occurring again in the future

Will you get investigated by Office for Civil Rights (OCR)?  There is a good chance that you will. Is this really bad? Certainly, you do not want a breach to occur, but then again, it is not possible to prevent all breaches.  

What will happen?  Most likely, you will receive a desk audit letter from OCR asking for information about the breach and your HIPAA compliance program.  Do not respond to the letter without contacting us.  We will review your documentation and help you respond.  An important thing to remember is that if you have been following our HIPAA compliance program, you should be in very good shape.

Can you get fined?  The simple answer is yes.  HHS and OCR have fined organizations in the past.  Generally, we observe fines for what is termed “willful neglect”.  Willful neglect is when your organization does not make a good faith effort to implement a HIPAA compliance program.  Keep in mind that the cost of a breach or investigation is generally much higher than a fine. Harm to your reputation is especially damaging.  For many reasons, it is in your best interest to maintain HIPAA compliance.

In summary, security incidents and breaches can and will happen.  Your role is to minimize the chances that security incidents and breaches will occur and to properly deal with them if in fact, you have the misfortune to experience one.  If you have any questions, please do not hesitate to reach out to our support team.