What is the difference between a HIPAA incident and a HIPAA breach?

While the terms may be related, a security incident is an event that compromises the integrity, confidentiality, or availability of an information asset. On the other hand, a data breach is a prohibited use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of protected health information (PHI).

Clarifying the misconceptions

Misunderstandings can sometimes exist when distinguishing between a HIPAA security incident and the definition of a HIPAA breach. Although they are often interconnected, it is important to note that not all security incidents result in breaches, nor are all breaches caused by security incidents.

Misconceptions surrounding the two terms can arise because their definitions are located in different sections of the Administrative Simplification Regulations. The definition of a HIPAA security incident appears in §164.304 of the Security Rule as: “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” However, the definition of HIPAA breach does not appear until §164.402 of the Breach Notification Rule. This is because breaches are events that can compromise PHI, regardless of the media on which PHI is maintained. 

According to the U.S. Department of Health and Human Services (HHS), a breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

Therefore, the attempted infiltration of an information system does not necessarily have to be successful before the event qualifies as a HIPAA security incident. Similarly, an impermissible verbal disclosure qualifies as a HIPAA breach even though no security incident has occurred.

Examples of HIPAA security incidents

• Unauthorized access: Someone accessing patient records without proper authorization.
• Lost or stolen devices: Misplacement or theft of devices containing unencrypted PHI, such as laptops or smartphones.
• Employee error: Accidental disclosure of PHI through email or fax to the wrong recipient.
• Malware attacks: Intrusions by malicious software compromising healthcare databases or systems.
• Phishing attacks: healthcare staff falling victim to phishing emails designed to steal login credentials.
• Physical security breach: Allowing unauthorized individuals to enter areas where patient records are stored.
• Insider threats: Employees intentionally leaking patient information for personal gain or malicious intent.
• Weak password protection: Using easily guessable or default passwords to access systems containing patient data makes it easier for unauthorized individuals to gain access.

See also: 

• What is cybersecurity in healthcare?
• Cyberattacks on the healthcare sector
  
  

Examples of a HIPAA breach

• Unauthorized employee access: A healthcare staff member accesses patient records without authorization, either out of curiosity or malicious intent.
• Lost or stolen devices: A laptop containing unencrypted patient information is stolen from a healthcare facility, exposing sensitive data to unauthorized individuals.
• Hacking incidents: Cybercriminals gaining unauthorized access to a healthcare database, compromising the confidentiality of patient records.
• Phishing attacks: Employees fall victim to phishing emails that trick them into revealing login credentials, allowing cybercriminals to access patient information stored on network systems.
• Improper disposal of PHI: Patient records not being disposed of properly, such as throwing away paper documents containing PHI without shredding them first.
• Data transmission errors: Sending patient information to the wrong recipient due to errors in email addresses, resulting in the unauthorized disclosure of PHI.
• Insider threats: Employees intentionally disclose patient information to unauthorized individuals, either for personal gain or as a result of negligence in handling sensitive data.
• Physical security breaches: Unauthorized individuals gaining access to secure areas of a healthcare facility where patient records are stored, leading to potential theft or tampering of sensitive information.
• Ransomware attacks: Cybercriminals deploy ransomware to encrypt patient data stored on healthcare systems and demand payment in exchange for decryption keys.

See also: 7 common HIPAA violations you need to avoid

Characteristics of a HIPAA breach

• Unauthorized disclosure: Information accessed or shared without proper authorization.
• Substantial risk: A determination that the breach poses a significant risk of financial, reputational, or other harm to the affected individuals.
• Notification requirement: Covered entities are obligated to notify affected individuals, the HHS, and potentially the media, depending on the scope of the breach.

Key differences between a HIPAA Incident and a HIPAA Breach

• Nature of event: A HIPAA incident encompasses any potential violation of HIPAA regulations, while a HIPAA breach specifically involves the confirmed compromise of PHI.
• Severity: While all breaches are incidents, not all incidents escalate to breaches. Breaches indicate a more severe violation with actual harm or risk of harm to patient privacy.
• Response protocol: HIPAA mandates specific reporting and response procedures for breaches, including notification requirements, whereas incidents may be resolved internally without external reporting.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

How can healthcare organizations prevent HIPAA incidents and breaches?

Healthcare organizations can implement robust security measures, such as access controls, encryption, employee training, regular risk assessments, incident response plans, and compliance audits, to prevent HIPAA incidents and breaches and safeguard patient information.

What should individuals do if they suspect a HIPAA incident or breach has occurred?

Individuals who suspect a HIPAA incident or breach should report their concerns to the relevant healthcare provider or entity responsible for safeguarding their information. They may also contact the HHS Office for Civil Rights (OCR) to file a complaint.

Go deeper: Filing a HIPAA complaint