When healthcare organizations suffer a breach and 500 or more patients are involved in the United States, the Office for Civil Rights (OCR) posts its details on an online breach portal, the HIPAA Wall of Shame. From January 1 to June 1, 2022, 180 “healthcare providers” were reported to the Secretary and posted on the OCR breach portal. This article will summarize the healthcare data breach report, determining the leading cause and what type of providers and their organizations were the primary target. Specific HIPAA data breach reporting requirements and tips for preventing data breaches in healthcare will also be provided.
2022 Healthcare Data Breach Report: Causes & Victims
As with previous years, the primary cause of 2022 healthcare data breaches has been hacking. These events have involved electronic health records, email, servers, laptops, and desktop computers. Millions of patient records were involved from nearly every state in the union. The takeaway is that hackers have developed previously unimaginable abilities to compromise patient and client records. Clinicians are mandated by federal and many state laws to protect all such records. Mandates are not only in place but enforced across healthcare professions and with all types of providers.
What Are the Requirements for HIPAA Healthcare Data Breach Report?
When a healthcare provider or practice experiences a breach, specific HIPAA data breach reporting requirements must be met as detailed below.
Report Breaches to the HHS
Depending on how many patients are affected by a breach, breach reporting timelines differ. If a breach affects 500 or more patients, the practice must report the incident within 60 days of discovery. For more minor breaches, practices should keep a list of all incidents occurring within the calendar year and report them within 60 days from the end of the year (March 1).
Report to the Correct Entities
In addition to notifying the HHS of a breach, affected patients must also be notified. If the breach affects 500 or more patients, practices must report it to the media. Practices should also inform law enforcement of breaches caused by hacking or theft.
Report Breaches in the Correct Procedures
The requirement for a data breach report dictates that practices notify patients of a breach through mailed breach notification letters. If ten or more patients cannot be reached by mail, practices must post the breach notice on their website for 90 days.
A data breach report must include:
- A brief description of the breach
- A description of the types of information involved in the breach
- The steps affected individuals should take to protect themselves from potential harm
- A brief description of what the practice is doing to investigate the breach, mitigate the harm, and prevent further breaches
- Contact information for the practice
See TBHI’s previous article for more information regarding HIPAA breach reporting.
- Did You Violate HIPAA? How to Effectively Compose a HIPAA Breach Notification
- HIPAA Breach Reporting
- HIPAA Breach Reporting Tool for “Wall of Shame”
4 Tips for Preventing Healthcare Data Breaches
What is the key to preventing data breaches in healthcare? Being prepared. There are generally two healthcare breaches – hacking and unauthorized access or disclosure of protected health information (PHI). In most cases, practices can prevent these common healthcare breaches by implementing an effective HIPAA compliance program.
In particular, practices that take the following steps will drastically reduce the risk of breaches.
1. Security Risk Assessments and Remediation
Security risk assessments (SRAs) are vital for preventing healthcare data breaches. An SRA aims to identify weaknesses and vulnerabilities in security practices to prepare against potential threats. Once SRAs have been conducted, remediation plans must be created to address any identified deficiencies.
2. Employee Cybersecurity Training
A significant portion of hacking incidents results from phishing emails. With the spike in phishing, employee cybersecurity training is essential to a practice’s overall security posture. Practices should train employees to recognize phishing attempts and what to do if they suspect an incident has occurred.
3. HIPAA Policies and Procedures
HIPAA policies and procedures are an essential part of HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. A practice’s policies and procedures should dictate this, and employees must be trained on them.
4. User Authentication, Access Controls, and Audit Controls
To ensure adherence to the necessary standard, practices must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels. Unique login credentials also enable audit controls to track access to data to ensure that PHI is accessed appropriately by each employee.
This Article is Contributed by the HIPAA Compliancy Group
Need assistance with HIPAA compliance? The Compliancy Group can help!
HIPAA Compliant Cybersecurity: Practical Implementation Tips
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.