HIPAA Breach: Definition and Types of Breaches

Following a breach of unsecured protected health information, the HIPAA Breach Notification Rule mandates that HIPAA-covered companies and their business partners notify patients and other parties.

Vendors of personal health records and their third-party service providers are subject to similar regulations put in place and enforced by the Federal Trade Commission (FTC).

What is HIPAA Breach?

According to HIPAA section 164.402, which is emphasized in the HIPAA Survival Handbook, a breach is defined as:

Any activity that undermines the security or privacy of protected health information is defined as “the acquisition, access, use, or disclosure of protected health information in a way not authorized.”

Unless the covered entity or business associate can show that there is a low possibility that the PHI has been compromised based on a risk assessment of at least the following factors, an unauthorized use or disclosure of protected health information is deemed to be a breach.

The volume and kind of the PHI implicated, as well as the kinds of identifiers and the possibility of re-identification; The unauthorized use of the PHI or the recipient of the disclosure;

Whether the PHI was viewed or actually obtained; and

The degree to which the PHI risk has been reduced.

Unintended disclosure was the main cause of breaches in 2017, according to one research.

The most common examples are:

Instances where companies communicate phi across unencrypted channels with a patient or a staff member.

By falling prey to phishing scams, disclosing login information, or sending phi.

When businesses don’t put controls in place to prevent internal and external misuse of phi.

What is Not Considered a Breach?

We need to look at what is not regarded as a data breach in order to better comprehend what we mean by this.

Your information is not considered compromised if it is mistakenly shared.

As an example, suppose an administrator mistakenly sent someone else a person’s PHI via email. If the administrator can demonstrate that the email was an accident and did not occur frequently, it will not be regarded as a breach.