What is a HIPAA Breach? (+ Tips to Avoid Them)

December 23, 2021 by Antonio Arias, MBA, CHBME

Topics: Medical Billing, Practice Management

Did you know that healthcare data breaches cost US industries $6.2 billion per year? With such a high cost, it’s more critical than ever to ensure that your medical practice is taking the best steps possible to avoid a HIPAA breach and continue to safeguard your patients’ information. Keep reading to get a refresher on HIPAA policies relating to personal health information breaches and how to avoid them.

Quick Links:

What Is HIPAA?

As defined by the Centers for Disease Control and Prevention (CDC), “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Essentially, this legislation protects personal health information (PHI) from being discussed or shared, which further fortifies a patient’s privacy. 

The aim of HIPAA was not only to secure patient information but also to prevent waste and fraud in the healthcare industry as a whole. Given the original Act was signed into law just at the start of the computer age, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2009 and outlines technological requirements that align with HIPAA. The HITECH Act encourages the use of electronic health records to further safeguard patient information and introduces the Breach Notification Rule which mandates that all breaches of 500+ individual records be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

The latest legislation related to HIPAA was passed in 2013 as the Final Omnibus Rule, which primarily clarified various definitions related to HIPAA and further outlined what standards organizations have to adhere to with new pieces of technology. For example, it recognized mobile devices as needing to maintain HIPAA standards.

hipaa compliance

Who Has to Follow HIPAA Regulations?

Since personal health information takes many forms across a variety of industries and services, there are various types of individuals and organizations who must follow HIPAA guidelines as they come across it, including:

  • Healthcare providers: This might be the obvious answer, but healthcare professionals can have access to multitudes of information for a plethora of patients, so it’s vital that they maintain HIPAA confidentiality when handling patient information
  • Health plans: Whether private insurance or other programs like Medicare, health plans and their related agencies and personnel must follow HIPAA regulations
  • Healthcare clearinghouses: These organizations are kind of like the go-between for processing information; while perhaps not directly involved in patient care or managing health insurance plans, they still need to maintain HIPAA standards
  • Business associates: This category covers a broad swath of third-party vendors or organizations who handle or have access to personal health information for whatever reason; each must adhere to HIPAA regulations when needed

The goal of HIPAA legislation is to protect patient information across all platforms or potential areas where that information might be accessed; it’s crucial that all pertinent parties follow HIPAA regulations.

What Is a HIPAA Breach?

A breach is defined in HIPAA section 164.402 as:

“The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.”

When a breach is suspected to have occurred, the business or organization must then determine the severity by considering the following factors:

  • What type of personal health information was involved?
  • Who was the person to potentially see this information?
  • Did the person in fact see this information?
  • What is the risk of this unauthorized person seeing this information?

From there, the organization can move forward with either patient notification, if the incident qualifies as a breach, or further risk mitigation.

There are also three exclusions to what counts as a breach:

  • If the exposure was unintentional and is not expected to be a repeated offense
  • If it was an accidental exposure from one HIPAA-certified person to another HIPAA-certified person
  • If the covered entity—or organization—has reason to believe the unauthorized person wouldn’t be able to retain details of the personal information

Regardless, it’s better to be safe than sorry and double-check all facets of the situation if your medical practice suspects a HIPAA breach might have happened.

How To Avoid a HIPAA Breach

There are a few solid steps you can take to help mitigate the chance of a HIPAA breach impacting your medical practice, such as:

Assess Your Vulnerabilities

Consider engaging a data security consultant to perform end-to-end risk analysis on your technological operations and medical billing function. If that’s outside your budget, at least utilize the HIPAA audit protocols to understand which HIPAA privacy and security rules the OCR is watching out for, then invest in bolstering your protections in each of those areas.

Implement—and Update—Smart Policies

You already have security measures in place, but how often do you revisit them? The same question goes for your incident response plan, your data backup plan, and even your staff education and training programs. Make sure you have defined strategies in place that include scheduled reviews and updates every six months—if not even more frequently.

Monitor Your Technology

Cybercrime has increased 600% since the start of the pandemic in 2020. In our increasingly tech-driven healthcare environment, security vulnerabilities abound, ranging from malware and phishing to the theft or loss of mobile devices. And when organizations fail to understand their risk factors in a holistic way, the threats are multiplied by that lack of awareness.

Train Your Staff on Best Practices

Hold your team and partners responsible. Is your staff executing day-to-day tasks with security in mind? Or are you turning the other cheek when you spot unlocked laptops, unsecured mobile devices, and open charts lying around in precarious places? Make sure your team follows all applicable policies and procedures, and extend the same diligence to your business associates and all third parties you work with, including your medical billing service.

prevent a hipaa breach

Turn to the experts at NCG Medical for HIPAA-compliant medical billing, revenue cycle management, and more to streamline your practice and optimize your operations. Outsourcing your medical billing can tremendously improve your practice in terms of internal and external efficiency. A medical billing firm can equip your practice with 24/7 reporting via analytics, for example, or can act as an in-house electronic health records (EHR) expert. In doing so, the outsourcing service can help ensure that incentive program adherence doesn’t drag your team’s time away from patients.

With NCG Medical, you’ll gain a team of experts in your corner who can help navigate the worlds of medical billing, healthcare software, and more! Contact us today to learn how we can make your practice more efficient, enable better patient access, and ensure you give the most effective care.

Subscribe to Our Blog

Stay in-the-know on trends, best practices, and news affecting the medical billing industry!