When does a HIPAA incident become a breach?

A HIPAA incident becomes a HIPAA breach when protected health information (PHI) is accessed, used, acquired, or disclosed without proper authorization and causes a compromise in its privacy or security measures. 

The difference between incidents and breaches

A HIPAA incident involves the unauthorized access, acquisition, use, or disclosure of PHI. On the other hand, a HIPAA breach occurs when such an incident compromises the security or privacy of PHI, posing a significant risk of harm to the individual.

Go deeper: What is the difference between a HIPAA incident and a HIPAA breach?

Determinants of a HIPAA breach

Several factors play a role in determining whether a HIPAA incident qualifies as a breach. These include: 

• Unauthorized access, use, or disclosure of PHI: A HIPAA breach occurs when PHI is accessed, used, or shared without permission. This can happen if individuals or entities obtain PHI without proper authorization or share it with unauthorized parties.
• Potential harm to individuals' privacy or security: A HIPAA breach can endanger the privacy or security of individuals whose PHI is involved, potentially causing financial, reputational, or emotional damage.
• Failure to adhere to HIPAA regulations: A breach of HIPAA regulations occurs when covered entities or business associates fail to comply with the requirements outlined in the HIPAA Privacy, Security, and Breach Notification Rules. 
• Requirement for Notification: When a HIPAA breach occurs, covered entities are generally required to notify affected individuals, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and in some cases, the media. 
• Scope and Impact: The scope and impact of a HIPAA breach can vary depending on factors such as the nature and extent of the PHI involved, the number of individuals affected, and the actions taken by the entity responsible for the breach. 

Related: Understanding HIPAA violations and breaches

Response and notification requirements

In the event of a HIPAA breach, covered entities are required to take immediate action to mitigate the harm caused. This includes:

• Immediate response: Upon discovering a HIPAA incident or breach, covered entities must respond promptly to mitigate potential harm. 
• Risk assessment: Covered entities must conduct a thorough risk assessment to evaluate the potential impact of the incident on the privacy and security of PHI.
• Notification of affected individuals: If the incident meets the criteria for a breach and poses a significant risk of harm to individuals, covered entities are required to notify affected individuals promptly. 
• Notification of regulatory authorities: Covered entities must also report breaches to the OCR promptly. 
• Media notification (if applicable): In certain cases involving large-scale breaches or breaches affecting a significant number of individuals, covered entities may be required to notify the media. 
• Documentation: Covered entities must maintain thorough documentation of their response efforts, including details of the incident, the risk assessment findings, notifications sent to affected individuals and regulatory authorities, and any corrective actions taken to prevent future breaches.

Go deeper: 

• How to respond to a data breach
• What are the HIPAA breach notification requirements

FAQs

What is the biggest cause of personal data breach?

Some of the common reasons behind data breaches include:

• Data is emailed to an incorrect recipient.
• Data is posted or emailed to the wrong recipient or address.
• Phishing scams and ransomware attacks due to poor cyber security systems.
• Loss or theft of paperwork due to poor physical security.

How serious is a HIPAA breach?

A HIPAA breach is a serious matter with potential legal, financial, and reputational consequences for the organization involved. The severity of a HIPAA breach depends on various factors, including the nature and extent of the breach, the type of PHI compromised, the number of individuals affected, and the organization's response to the breach.

How important is it to stay prepared? 

It is not just considered best practice, but also a legal obligation for healthcare organizations to have an organized data breach response plan. Being well-prepared enables these organizations to respond quickly and effectively in the event of a security incident, reducing potential harm and lessening detrimental outcomes.

Go deeper: What is a HIPAA data breach response plan?