Abstract: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule uses Protected Health Information (PHI) to define the type of patient information that’s protected by law.1 PHI is an important factor for HIPAA compliance. PHI isn’t confined to medical records and test results. Any information distributed by a business associate that can identify a patient and is used or disclosed to a covered entity during the course of care is considered PHI. Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI.
Understanding what is considered Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is important for all providers in order to avoid violations that can result in big fines.2 Illustrated here is the Paubox HIPAA Breach Report that analyzed breaches affecting 500 or more individuals as reported in the HHS Wall of Shame in September 2017.3
HIPAA Breaches Ranked by People Affected
Top Three Breach Types
- Email breaches ranked the highest with 206,994 people’s PHI hacked or stolen in September. That’s up over 600% from August’s total of 33,334.
- Network Server breaches ranked second, with PHI of 182,782 people breached.
- Desktop Computer breaches ranked third, with 18,317 people having their PHI breached.
Bottom Three Breach Types
- Electronic Medical Record ranked as the lowest number of people’s PHI being breached in September with 3,109.
- Laptop breaches ranked second lowest at 4,869.
- “Other” was the third lowest type of breach as ranked by 5,127people affected.
HIPAA Breaches Ranked by Occurrence
The Most Common
- Email was the most common breach in September, with 13 reported breaches affecting 500 or more people’s PHI.
- Network Server was the second most common breach type with 6 incidents.
- Desktop Computer and “Other” was third with 5 breaches.
The Least Common
- Laptop, Paper/Films and Electronic Medical Record rounded out the bottom of the category with 2 reported breaches each.
Email breaches took the top spot for both number of people affected and number of reported breaches. As a HIPAA breach vector, email has consistently ranked in the top quadrant this year.
Click here to download the raw data.
One email. Once a week.
Hoala Greevy is a Founder and CEO.
- Office for Civil Rights. Summary of the HIPAA Privacy Rule. HHS.gov.2013. URL: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
- Kuwahara R. Big money HIPAA fines a good reminder for everyone. Paubox. 2016. URL: https://www.paubox.com/blog/big-money-hipaa-fines-a-good-reminder-for-everyone
- S. Department of Health and Human Services Office for Civil Rights. Cases currently under investigation. URL: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
This is an open access article distributed in accordance with the Creative Commons Attribution Non-Commercial (CC BY-NC 4.0) license, which permits others to distribute, adapt, enhance this work non-commercially, and license their derivative works on different terms, provided the original work is properly cited and the use is non-commercial. See: http://creativecommons.org/licenses/by-nc/4.0