Information Security>Data Breach|Compliance>HIPPA|Research

What every organization should know about HIPAA

What Is The HIPAA Privacy Rule?

Accoprding to, “The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”

In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records.

What is the HIPAA Security Rule?

Also according to, “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. ”

The Security rule sets forth the specific things that an organization is expected to do to protect healthcare data.  It also describes who is expected to protect health data and liable for its loss.

What Is A Covered Entity and Who Qualifies?

A covered entity is any health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.  However, the application of HIPAA does not end there.  Business Associates are a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.   In other words, any organization who does work for a covered entity and has regular access to health records is responsible for complying with parts of HIPAA. 

What Data Is Protected?

According to the Summary of the HIPAA privacy rule:

HIPAA protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” OCR Privacy Rule Summary 4 Last Revised 05/03 “Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, 

and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

In other words, any data that can be used to identify a person or even closely identify a person.

What Is The Breach Notification Rule?

According to, “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”  For the loss of less than 500 records annual notification is required, but more than requires notification within 60 days.

What Are The Risks For Non-Compliance? or in other words Why Is This Important To Me?

There are a number of factors to consider such as the number of records lost and how much neglect is invovled.  None of the specifications in the HIPAA rules are optional, some called addressable, just mean that you have freedom in how you implement them.  The Federal Register provides a wealth of information and estimations for the average costs of breaches.  Penalties are only a portion of the costs.  Costs to consider include:

  • Cost to notify individuals
  • Cost to provide a toll free number and subsequent call charges
  • Cost to investigate the breach
  • Cost to notify individuals with new privacy notices
  • Costs of civil penalties
  • Potential jail time

All of these costs add up to equal the total costs to an organization in the event of a breach.  The civil penalties are outlined in the following table from the Federal Register:

[av_table purpose=’tabular’ caption=’Categories of Violations and Respective Penalty Amounts Available, Source: The Federal Register’ responsive_styling=’avia_responsive_table’] [av_row row_style=”][av_cell col_style=”]Violation Category[/av_cell][av_cell col_style=”]Each Violation[/av_cell][av_cell col_style=”]All such violations of an identical provision in a calendar year[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](A) Did Not Know[/av_cell][av_cell col_style=”]$100-$50,000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](B) Reasonable Cause[/av_cell][av_cell col_style=”]$1,000-$50,000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](C)(i) Willful Neglect-Corrected[/av_cell][av_cell col_style=”]$10000-$50000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](C)(ii) Willful Neglect-Not Corrected[/av_cell][av_cell col_style=”]$50000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [/av_table]


As the costs add up, healthcare organizations need to realize that the costs required to become compliant can be well below that of a large breach.  In a previous post we talk about the general areas with which an organization needs to focus in order to become compliant with most standards.  For a detailed breakdown of controls that should be considered for HIPAA here is a good post.  Here are a few of the recent breaches and examples from HHS (these don’t include any Business Associates, but we will probably start seeing those this year or next):

[av_table purpose=’tabular’ caption=’Case Examples and Resolution Agreements, Source:’ responsive_styling=’avia_responsive_table’] [av_row row_style=”][av_cell col_style=”]Organization[/av_cell][av_cell col_style=”]Cause of Breach[/av_cell][av_cell col_style=”]Penalty[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]New York and Presbyterian Hospital[/av_cell][av_cell col_style=”]Web server misconfiguration[/av_cell][av_cell col_style=”]$3,300,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Concentra[/av_cell][av_cell col_style=”]Stolen, unencrypted laptop[/av_cell][av_cell col_style=”]$1,725,220[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Alaska DHSS[/av_cell][av_cell col_style=”]Stolen, unencrypted USB drive, inadequate policies and procedures, failure to complete risk analysis, employee training, device and media controls or encryption[/av_cell][av_cell col_style=”]$1,700,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]WellPoint[/av_cell][av_cell col_style=”]Application database misconfiguration, failure to perform risk analysis, inadequate policies and procedure[/av_cell][av_cell col_style=”]$1,700,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Massachusetts Eye and Ear Infirmary[/av_cell][av_cell col_style=”]Unecrypted personal laptop, management was aware of the Security rule, but failed to take necessary action[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Columbia Univeristy[/av_cell][av_cell col_style=”]Failed to perform risk analysis or provide policies and procedures governing IT[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]BCBST[/av_cell][av_cell col_style=”]Stolen unecrypted hard drives[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Shasta Regional Medical Center[/av_cell][av_cell col_style=”]Failure to attain written authorization to disclose PHI[/av_cell][av_cell col_style=”]$275,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]QCA[/av_cell][av_cell col_style=”]Failed to perform risk analysis and to provide physical safeguards for workstations[/av_cell][av_cell col_style=”]$250,000[/av_cell][/av_row] [/av_table]