The term data breach refers to a security incident where an outside party gains access to data on a system or device. But data doesn’t have to be stolen for it to qualify as a breach. Here’s what you need to know about data breaches.
Data breaches and sensitive information
A data breach can be devastating to a company. This is especially true for organizations that store sensitive information like credit card numbers.
For healthcare providers dealing in electronic protected health information (ePHI), a data breach can be especially concerning. If ePHI is viewed, stolen, or otherwise compromised in the breach, you could be at risk of a HIPAA violation.
To better understand how a data breach could affect your business, it’s important to take a close look at HIPAA laws regarding data breaches.
Data breaches and HIPAA violations
The U.S. Department of Health and Human Services defines a breach as an event that “compromises the security or privacy of the protected health information.” If you can prove that the breach was unlikely to have put PHI at risk, you may be able to keep it from becoming a violation.
SEE ALSO: The Complete Guide to HIPAA Violations
To indicate that information wasn’t at risk, you’ll need to be able to show that you mitigated any damage. If your software caught the breach quickly and your personnel took action to protect your ePHI, for instance, you can use data logs to show that information was unlikely to have been compromised.
Regardless of whether information was stolen, though, you’re required to notify the HHS Secretary of any breach. This notification must be made to the affected individuals, the HHS secretary, and, when applicable, the media.
How data breaches happen
Data breaches are a bigger problem than ever. In fact, in the first quarter of 2020, 8.4 billion records were exposed–a 273 percent increase over the same quarter in 2019. Data breaches are often associated with servers and devices, but where HIPAA violations are concerned, email is the top threat vector. In 2019, 39 percent of all HIPAA violations were via email.
HIPAA outlines very specific guidance when it comes to email, including:
- Extra precautions are required when discussing medical information with patients, including confirming that the recipient’s email address is correct.
- Encrypted email is not required, but if unencrypted email is used, providers should limit the information being discussed.
- Reasonable accommodations must be provided if a patient requests them. If, for instance, a patient prefers mailed reminders of appointments to text or email, the provider must comply.
Preventing data breaches
Once you understand what is a data breach and what is a HIPAA violation, it’s important to take measures to keep them from happening.
HIPAA compliant email including encryption protects your communications against a data breach. Whether you’re discussing medical information with patients or interacting with employees, you’ll be able to at least take some of the pressure off.
Data breaches are an ongoing problem for healthcare-related businesses, but with the right tools in place, you can protect your ePHI without restricting your communications. Paubox Email Suite provides HIPAA compliant, encrypted email by default to help your practice remain compliant and avoid data breaches.
Paubox’s convenient solution integrates with both Google Workspace and Microsoft 365 to protect your messages with no extra action on your part. You won’t have to manually secure each message because all emails are encrypted by default. The recipient can read the encrypted messages directly from the inbox, with no passwords or portal logins required.