Healthcare Technology Featured Article

March 12, 2021

What is Considered a HIPAA Breach in 2021?


The year 2021 has been like no other in our recent history, a year that many have already decided to write off due to the global pandemic Covid-19 (SARS-CoV-2). The Coronavirus has impacted all of our lives, none-so-more than the life of healthcare workers, front-line doctors, nurses, and support staff in the healthcare industry. Non-frontline healthcare workers have been forced to work from home, small clinics have closed, and non-critical patient operations have been canceled.

However, despite the pandemic, healthcare professionals still have the duty to uphold HIPAA compliance during these difficult times. The shift to home working for support staff has introduced added complexities to protect sensitive data on medical devices, but the pandemic has also proven that the HIPAA safeguards work and are of significant importance.

The Office for Civil Rights (OCR) has the responsibility of reporting the breaches of Protected Health Information (PHI). Since the start of lockdown, there have been 178 reported breaches to the OCR. In some cases over 1 million patients were affected by a breach. These are cases that have been fully investigated and closed with relevant penalties imposed in the last 5 months.

Types of Breaches

There are two distinct classifications of a HIPAA breach. A violation that does not result in the use or disclosure of PHI is ranked as “not a breach”. Violations that do involve PHI must be defined as unintentional or intentional disclosure. Accidental disclosure is still a breach but carries less severe penalties, but deliberate disclosure is considered a very serious breach and involves significant penalties.

Using data directly sourced from the OCR, the overwhelming majority, some 85% of breaches, are hacking or IT incidents. This is a very generalized classification, but it contains all breach incidents that were caused by social engineering, phishing, email reach, hacking, ransomware, malware, etc.

Other common types of breaches include theft, loss, and incorrect disposal of PHI. We will go into more detail on this later, but this data helps to highlight that healthcare is a valuable target for hacking communities.

What is a HIPAA Breach?

The scenarios where a covered entity can be found in breach of HIPAA regulations vary wildly. It is impossible to list all of these, so we can gather together some of the most common HIPAA violations:

  • No valid risk assessment - the risk analysis is a core element of HIPAA with many purposes that identify the risk to PHI in an existing technical solution. It is the first task to be completed on the road to compliance, and it works as a baseline of tasks to be completed
  • Sharing protected health information - Whether intentional or unintentional, PHI should never be shared with unauthorized persons, whether it be a professional colleague, the media, or family members
  • Snooping on PHI - viewing PHI when not authorized is an offense, personnel are not allowed to view PHI unless it is for a specific purpose
  • Incorrect disposal of PHI - The secured disposal of PHI is mandatory, this varies from the proper destruction of data, computer hard disks, laptop theft, backups, and the destruction of paper files
  • Insufficient PHI access controls - A fundamental technical safeguard of HIPAA is to make sure that controls over who has access to PHI are implemented. User accounts, access control lists with Multi-Factor authentication are a good start
  • Failure to encrypt PHI - it is a mandatory requirement to encrypt PHI in transit over a network, this is achieved by TLS certificates, VPN traffic, and security cipher suites. It is advisable to encrypt all PHI data at rest
  • Breach Notification - Failing to notify the OCR of a breach within 60 days is a breach of HIPAA compliance
  • Incorrect Handling of PHI - PHI has to be transferred via official channels, emailing PHI to personal accounts, printing or taking offsite is an offense
  • Unauthorized Disclosure - releasing patient info to an unauthorized individual is a breach, however, there are some specific relaxation of the rules here during the global pandemic
  • Limited Logging - detailed logging of PHI access, changes, and updates is mandatory for HIPAA compliance. When audited, you may be asked to provide information on who accessed PHI on a specific date. If you cannot provide this information you are in breach. There are some specific relaxation of the rules here during the global pandemic when gathering data at COVID Test stations

OCR regulation waivers due to Covid-19

On the 17th March 2020, the Office for Civil Rights (OCR) announced that enforcement discretion and waiving penalties for HIPAA violations would be introduced. It is possible that this headline-grabbing announcement may have been misinterpreted by some covered entities. Some healthcare professionals may have thought that they did not need to meet HIPAA guidelines during the early stages of the lockdown.

The OCR only waived specific HIPAA enforcement rules to allow greater flexibility when providing healthcare services directly to patients during these uncertain times. The OCR is not relaxing all HIPAA safeguard regulations, and covered entities must at all times uphold the integrity of protected health information.

Most of the discretions relate to how healthcare providers can use PHI to contact known or expected Covid-19 patients or next of kin, and how data is handled at testing sites. A waiver was introduced specifically related to the teleconferencing technical safeguards of HIPAA compliance. This becomes critical to then building telemedicine applications that are in compliance with the law.

Video conferencing services have proven invaluable during the pandemic, enabling clinics to continue operating and follow safe distancing guidelines. The waiver has allowed these front-line services to use tools such as WhatsApp, Zoom, and FaceTime to conduct face-to-face consultations. This approach has enabled GPs and medical teams to talk directly to patients on a common platform that most patients will have access to.

With that being said, what is considered a HIPAA breach in 2021? Well, it is exactly the same conditions as before, failure to comply with the technical, administrative, and physical safeguards of HIPAA. Breaching these conditions is a significant concern that can lead to severe penalties, in fact, the fines have gone up in 2020!

Relaxations have happened in 2021, but these are very related specifically to Covid-19. HIPAA regulations are still enforceable and all covered entities, business associates, and third parties are bound by the HIPAA safeguards. Penalties and breach notifications have been published by the OCR regularly during the pandemic, and it will be interesting to see further information as the relaxations to Covid-19 start to bed in.


 





FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]