In this rapidly advancing technological world, an increasing number of healthcare providers are incorporating electronic health record (EHR) technology. In addition, they are also connecting to health information exchanges more frequently, making patient health information (PHI) more susceptible to online security threats as well as possible HIPAA data breaches.
The convenience of PHI being more accessible to providers also carries the risk of being more accessible to hackers and unauthorized users. Effectively monitoring and managing potential risk is imperative for a healthcare organization. Risk assessments play a key role in staying HIPAA compliant. Mobile devices and ransomware threats are examples of why healthcare providers need to be prudent in their risk analyses. The slightest oversight or lapse could lead to a HIPAA data breach as well as a lengthy, expensive recovery course.
What Is a HIPAA Data Breach
Per the U.S. Department of Health and Human Services (HHS), a data breach is the forbidden use or disclosure of PHI under the Privacy Rule that jeopardizes the security or privacy of patients. For example, if a nurse’s assistant is a friend of patient Jane Doe and posts on social media that Jane Doe’s health condition is worsening, this is a HIPAA breach. Another type of data breach is unencrypted data being lost or stolen due to using backup tapes for data archival. Portable devices that are unencrypted or not properly safeguarded by passwords, personal identification numbers, or other security measures, pose a much greater risk of a data breach.
There are three exceptions to the HHS Privacy Breach. First, if a healthcare worker unintentionally acquires the use of PHI while acting under authority of the covered healthcare organization, this is an exception. Secondly, inadvertently sharing PHI with another person who has authorized access to PHI is not a breach. For example, John Doe is a patient at XYZ Hospital. Dr. Smith is his cardiologist and Dr. Jones is his nephrologist. To properly coordinate a heart and kidney care plan of treatment for Mr. Doe, Drs. Smith and Jones are allowed to share PHI pertaining to the patient. Lastly, if a healthcare organization believes that the person to whom the PHI disclosure was made is unable to retain the information, this is also not considered a data breach.
Understanding HIPAA data breaches and the exceptions to the rule provides healthcare organizations the information they need to formulate extensive data security plans to keep PHI safe and secure. One of the easiest ways to prevent an employee data breach is by training, documenting, and monitoring employee adherence to security policies and procedures. In addition to training your own employees, remember to be vigilant when checking your business associates’ compliance to ensure their employees have been trained.
Ransomware Attacks – Are They HIPAA Data Breaches
Whether or not a ransomware attack is a HIPAA data breach is determined on a case-by-case basis. To put it somewhat simply, if electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, it is considered a HIPAA data breach because the PHI was able to be accessed. Therefore, it is a disclosure that is not permitted under the HIPAA Privacy Rule.
On the other hand, if the ePHI encrypted in a ransomware attack was already encrypted in alignment with HIPAA regulations, it may or may not be considered a breach. Each situation is treated uniquely. The HHS Office of Civil Rights states, “If the electronic PHI (ePHI) is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer ‘unsecured PHI,’ then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”
Ensuring PHI Protection
The HHS PHI Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
In order to determine the best security measures, a healthcare organization must consider its size, capabilities, and complexity. Furthermore, the technical hardware and software infrastructure must be evaluated as well as the expense of security measures. Last, but certainly not least, every healthcare organization must scrutinize the likelihood and possible consequences of plausible risks to ePHI.
To protect ePHI, it is imperative that healthcare organizations keep all security measures up-to-date, confirm compliance with state and local laws, as well as HIPAA compliance. There are several ways ePHI security can be compromised, and that is why facilities have to be cautious and able to adjust security measures when necessary.
HipLink offers real-time secure messaging for Apple or Android devices. The user can send secure text messages, encrypted for HIPAA compliance from a desktop or smartphone. For more information, contact us at 408-399-6120.