The term “data breach” is used extensively by the Department of Health and Human Services (HHS) when referring to doctors, hospitals, chiropractors, dentists, and other entities covered under the Health Insurance Portability and Accountability Act (HIPAA). Many healthcare practices have been slapped with hefty fines ranging upwards of $10,000 for such breaches. But what exactly constitutes a data breach in the eyes of the HHS?
Data Breach Defined
A data breach is essentially an impermissible use and/or disclosure of Protected Health Information (PHI). Before a covered entity can legally share a patient's personal data with another organization or entity, it must first obtain his or her written permission via an authorization form. There are times, however, when the personal information of a healthcare patient is released without the patient's consent, which is classified as a data breach.
There are instances in which the impermissible use or disclosure of PHI is not a data breach. If the covered entity is able to demonstrate that there was a low risk of PHI being compromised based on the risk factors listed below, it may not be considered a breach.
- Severity of the PHI involved, such as identifiers and risk of re-identification.
- The person or entity to whom the data was disclosed (e.g. another worker may have accidentally accessed the patient's data, in which case the breach may be null).
- Whether or not the PHI was actually viewed.
- Measures taken to mitigate the damage caused by the breach.
There are a few other exceptions to HIPAA breaches, one of which being the unintentional access and/or use of PHI by a worker or person with authority acting under the covered entity or business associate.
Another exception involves the accidental disclosure of PHI within the covered entity's workforce, such as worker inadvertently disclosing a patient's personal data to another worker. In cases such as this, HIPAA prevents any further use or disclosure of the PHI under the Privacy Rule. The covered entity must still notify the patient of the incident and take measures to prevent future instances from occurring.
Hopefully, this will give you a better idea of what constitutes a data breach. In most cases, a data breach occurs when a patient's personal data is disclosed to another individual or entity without their consent. As noted above, however, there are certain exceptions that covered entities need to be aware of.