Data Breach and Breach Notification

Year over year, data breaches have increased in the education, medical/healthcare, and business sectors.  As of May 2016, the number of data breaches captured by the Identity Theft Resource Center is up 23.9% over the same time period last year.  Since September 2009, the Office for Civil Rights, the agency responsible for enforcement of HIPAA, has received 1,536 reports involving a breach affecting 500 or more individuals, and 227,000+ reports of breaches of PHI affecting fewer than 500 individuals.

Unfortunately, most breaches occur due to a failure to take reasonable care to keep Protected Health Information (PHI) and Personally Identifiable Information (PII) secure.   These can be caused by simple carelessness when sending a fax, leaving information sitting on a desk where it can be seen by another patient, or putting PHI in a trash can rather than shredding.  Sending patient information or even your personally identifiable information in electronic form, via email or other methods, has greater risk and, therefore, more specific rules on how to do it safely.  In more serious instances, laptops with unencrypted patient information or even paper medical records have been stolen, exposing both the patient and the provider to serious risks.

The decision and obligation by the University to notify an individual of the theft, loss, or other impermissible use or disclosure of their protected information is determined by state and/or federal law.  Federal law governs the use, disclosure and breach notification of protected health information and state law governs the breach of personally identifiable information as well as protected health information.  The University has had a Breach Notification Policy specific to HIPAA since the implementation of the Breach Notification Rule; however, it did not address a breach of personally identifiable information.  The University creates, maintains and stores other confidential data, protected by State law, which could be breached and could trigger additional reporting obligations.  In light of this, The University recently revised the Breach Notification Policy to address compliance with both State and Federal law and now covers other confidential data including personally identifiable information, protected health information and student data covered by FERPA.

The University has a HIPAA and Information Security website where all the pertinent policies, procedures and forms can be found (www.hipaa.wustl.edu or www.informationsecurity.wustl.edu), and a Privacy Office ready to answer all of your questions (314-747-4945) about our policies and procedures and to provide tips on how you can protect the data you work with as well as your own personal information.

About the author