Does the HIPAA Breach Notification Rule apply to all Covered Entities and Business Associates, Even Smaller Ones?
To many of you reading this post this question seems ridiculous. You know the answer. However, I get asked this question so frequently that I decided to answer it with a blog post to save time next time I get asked the same question. What is worse, however, is I often hear people say — out of complete ignorance — “no, it is not a big deal.”
Healthcare professionals must understand just how important cybersecurity and privacy of patient protected health information (PHI) is to their practices: You can spend your entire career building a fine medical practice and lose it all because you did not take this seriously. Don’t believe me? Then jump to this point of the post.
Are ransomware attacks a data breach?
Regarding ransomware attacks in particular, the Department of Health and Human Services (HHS) considers these kinds of attacks on Covered Entities and Business Associates to be a breach that requires notification, by default, unless you perform a risk assessment that considers four factors and determines there was no breach. See HHS FACT SHEET: Ransomware and HIPAA
The reason for this is because under what is called the CIA Triad of Cybersecurity. To maintain the security of data, you must ensure you maintain its confidentiality, integrity, and availability; when you have a ransomware attack encrypt your data, you no longer have availability unless you have appropriate backups of the data. Moreover, depending on the nature of the ransomware, some strains may exfiltrate data prior to the encryption, causing a failure to maintain confidentiality as well.
Is there a penalty for failing to notify?
Absolutely. When a Covered Entity or Business Associate fails to comply with the HIPAA Breach Notification Rule, HHS may launch an investigation and bring an enforcement action against the entity that failed to timely notify. Below are two notable cases where HHS has done this but it is important to note that the vast majority of the smaller ones are resolved with fines and compliance measures imposed at the investigation level:
- HIPAA enforcement action for lack of timely breach notification settles for $475,000
- Lack of timely action after stolen laptop results in $3.2 million fine
Does HHS fine small healthcare practices?
Read these examples and decide for yourself:
- $100,000 HIPAA fine designed to send message to small physician practices
- $50,000 fine levied for stolen laptop breach involving fewer than 500 patients
- $1.7 million fine for stolen laptop breach
- $250,000 fine for stolen laptop breach
- $650,000 fine for Business Associate’s stolen mobile device with records of 412 individuals
- Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
If you would like more information about other HHS cases, read about these HHS Case Examples.
What are the 3 most important questions you should ask yourself now before you have an incident?
- Do you have privacy and cyber insurance coverage for your practice?
- Do you always have a backup of your critical business, customer, and PHI information that is completely disconnected from your network?
- Do you understand these 3 critical cybersecurity steps your organization must take?
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.