Digital technologies improve our lives, but they put our personal data at constant risk of theft and loss. Unfortunately, between 2015 and 2019, 76.59% of all data breaches reported were in the healthcare industry, and in 2020, 79% of all reported data breaches targeted healthcare organizations. Despite risks to patient safety and significant HIPAA fines for healthcare providers that fail to protect patient data, PHI security breaches still happen.
If you don’t want your business to be in the news for all of the wrong reasons, it’s best to take PHI security seriously. Learn what a PHI security breach is, as well as how it affects your business.
What Are PHI Security Breaches?
Protected healthcare information (PHI) includes any healthcare data that can be used to identify an individual or is tied to an individual. If you can look at a piece of data to identify a patient in a healthcare setting, it likely qualifies as PHI. Likewise, if you’re looking at identifying information such as a patient’s name or Social Security number along with that individual’s healthcare data, such as vital stats in a patient health record, it’s also PHI.
If you’re a covered entity (like a doctor’s office) or a business associate (like a healthcare accounting company), you must implement appropriate measures to protect PHI against breaches.
A PHI breach is any access, use, or disclosure of PHI that violates HIPAA due to non-compliance or inadequate security measures. But to qualify as a breach, the attack needs to violate the patient’s right to security or privacy.
Breach Examples
Every healthcare provider is different, but some of the most common PHI breaches include:
- The theft of printed patient records.
- Thieves taking unsecured mobile devices that contain PHI.
- Employees sending unencrypted information to the wrong patient via email or text.
- Employees accessing PHI for personal use.
- Accessing unsecured patient information on a home computer.
What Doesn’t Count as a PHI Breach?
Keep in mind that not every improper disclosure is actually a PHI breach. It depends on the details of the situation, but disclosures likely won’t count as a PHI breach if:
- You can prove that the PHI disclosure didn’t reveal patient information. For example, if an attacker stole encrypted PHI and wasn’t able to decrypt it.
- You can prove the person who received the PHI didn’t keep it.
- Authorized employees in another department shared patient information with other employees. Since the sharing happened within the covered entity, it likely wouldn’t qualify as a PHI breach.
- Employees accidentally shared patient data with a business associate, and it was not compromised or exposed further while in the business associate’s possession.
Determining Whether a Breach Is Really a Breach
Since the nature of the disclosure has a tremendous impact on whether it’s truly a breach or not, it’s important to understand the disclosure before you take action. To determine whether this is a breach, you should consider three things:
- The nature of the PHI. What information was shared? How likely is it that the recipient can use the information to identify someone?
- The recipient. Was it an unauthorized employee within your organization? Or a hacker outside of the business that stole 10,000 patient records? One is clearly worse than the other.
- The extent of the disclosure. Sometimes it depends on how much information was shared, as well as how many records were shared in total.
Follow the HIPAA Breach Notification Rule
Between 2009 and 2021, an astonishing 314,063,186 healthcare records were exposed, stolen, or compromised in reported breaches of 500 records or more. That equates to nearly 95% of the U.S. population.
If you discover your organization had a breach, it’s important to follow HIPAA’s Breach Notification Rule to win back your patients’ trust — and stay on the right side of the law.
The Breach Notification Rule requires you to notify patients if they were the victim of a breach, but you only need to notify patients if there was a breach of unsecured PHI. If there was a loss of encrypted data, you may not need to follow the Breach Notification Rule.
If a breach involves the disclosure of unsecured PHI, you must notify patients either by mail or email about the breach. If the breach included fewer than 500 records, you need to notify the HHS within 60 calendar days of the end of the year when you detected the breach or before. If you found a breach in early 2022, for example, you would have until late October 2022 to report it.
If the breach was 500 records or more, you’ll need to:
- Notify all patients.
- Report it to HHS within 60 days of discovering the breach.
- Report it to local media outlets via a press release.
Keep in mind that this doesn’t just apply to covered entities. Business associates are also in charge of PHI security, so whether you provide patient care or simply support healthcare providers, you need to take the proper precautions to protect PHI.
Situational ePHI Awareness is Crucial for Avoiding PHI Security Breaches
No healthcare cybersecurity infrastructure is impervious, so your organization needs to make a plan for managing PHI breaches. Understand what constitutes a PHI security breach and follow HIPAA’s reporting requirements to stay compliant.
While it’s good to know how to respond to a breach, it’s better to prevent breaches in the first place. But you can’t protect PHI and ePHI if you don’t know it exists. Tausight’s Situational ePHI Awareness solution detects PHI and monitors PHI activity throughout your healthcare ecosystem, offering continuous validation of cyber preparedness. Should a PHI breach occur, Tausight’s immutable, off-site audit trail provides forensic-level detail to shorten your cyber recovery time. Contact Tausight today to learn how Situational ePHI Awareness can aid your compliance efforts.
