Example Of Breaches Of Protected Health Information Essay

Type of paper: Essay

Topic: Health, Information, Organization, Confidentiality, Privacy, Nursing, Business, Security

Pages: 6

Words: 1650

Published: 2020/11/13


The HIPPA & Breach Enforcement Statistics have revealed that there have been more than 1.100 health data breaches that involve more than 500 individuals in February, 2015, alone (Melamedia, 2015). There were nine incidences, from December 2014 through January 2015, that have affected more than 365.000 patients with the theft of laptops being the leading cause of protected health information (PHI) breaches (Melamedia, 2015).
The Health Information Technology for Economics and Clinical Health Act’s Breach Notification Rule (2009) has made it obligatory to all covered entities and associated businesses to provide notification after a breach of PHI (McCann, 2012). The groups whose PHI has been compromised must report to the Department of Health and Human Services, which, in turns, will post the report, if the breach has affected more than 500 individuals (McCann, 2012).
As of today, one of the biggest PHI data breaches in the history is that of military health care provider Falls Church who has reported having lost backup tapes containing PHI from electronic health records (clinical data, Social Security numbers, phone numbers, and address numbers) of almost five million military beneficiaries ((McCann, 2012)

Definition of Breach

According to the U.S. Department of Health and Human Services, a breach is an unauthorized and impermissible disclosure or use of protected health information (PHI) under the Privacy Rule, which compromises the privacy or security of these information. Every impermissible disclosure or use of PHI is considered a breach, unless the covered business associate or entity proves that there is a “low probability that the protected health information has been compromised based on a risk assessment of [some specific factors]” (HHS, n.d). These factors include:

All types of identities and the extent and nature of the PHI involved, as well as the likelihood of re-identification.

Whether the PHI was indeed viewed or obtained.
If the risk to the PHI has lessened, and, if yes, to what extent.
Covered business associates and entities are not obliged to perform a risk assessment in regards the probability that the PHI has been compromised and providing the required breach notifications after an unauthorized disclosure or use of PHI lies at their discretion (HHS, n.d).

The definition of breach has three exceptions:

The inadvertent access, acquisition, or use of PHI by either a person with authority in the covered business associate or entity (if such act was made in good faith) if the individual has not abused their authority or a workforce member.
The unintentional disclosure of PHI by a person authorized to access PHI at a covered business associate of the entity to another person also authorized to access PHI at the same covered business associate or entity. However, the information cannot be further disclosed or used in a way that violates the Privacy Rule.
The covered business associate or entity believes that the impermissible individual to whom the unauthorized disclosure was made, had good intentions, acted in good will and would not retain the information (HHS, n.d).
According to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which protects the privacy of protected health information, all covered entities, meaning organizations or individuals that electronically transmit health-related information in the course of normal health care practices (e.g. health plans, health care providers, health care clearinghouses), may not disclose or use PHI, unless required or permitted by the Privacy Rule (Clause et al., 2004). Protected health information is defined as information that relates to (1) an individual’s past, present, or future mental of physical condition or health, (2) an individual’s past, present, or future payment for their provision of health care, and (3) an individual’s provision of health care (Institute of Medicine, 2009). However, the Privacy Rule does not protect PHI maintained or held by an organization other than the covered entity, and it does not apply to deidentified information (Institute of Medicine, 2009). In addition, covered entities cannot disclose and use PHI without the written permission of the associated individual; this written permission should follow specific content requirements though to be considered an authorization. The situations (all subject to detailed conditions), where a covered entity can disclose PHI without the authorization of the individual, is:

For research purposes

For public health purposes (as required by the federal and state law)
For administrative and judicial proceedings (only with a court order).
Electronic medical records must be kept in an authenticated and unaltered form by the creator, just like any other medical records. The creator is responsible for protecting patient records, regardless of the form they are kept in). The Health Information Technology for Economic and Clinical Health Act of 2009 ((Pub.L. 111–5), requires all covered entities to report data breaches that affect more than 500 individuals to the U.S. Department of Health and Human Services, to the people affected, and to the news media (Licastro, 2012).

How the Breach Occurred

The breach in the health organization was a data breach. Neither the data nor the laptops used within the organization was encrypted, and, despite the fact that the files were all password-protected, it was determined that the data could be accessed by an individual with some expertise (e.g. an enlightened amateur). The result was the compromise of 5,000 patient records, which put the patients at considerable risk of harm, given that these files included data such as the patient’s name and either date of birth, reason for the appointment or Social Security number.

Suggested Course of Action

As per the Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, Section 13402, following the discovery of a breach if PHI that was unprotected, covered entities have to notify the affected individuals, the Secretary, and the media (in particular cases) of the violation, within 60 days of the incident (Office for Civil Right, 2011).

Notifying Patients

In order to notify patients and the public affected by the breach, with the least amount of panic the organization should send emails to the affected individuals that have agreed to receive electronic notices. In the instances where the patient does not have an email, a first-class mail should be sent to the patients’ last known address. In any other case, the phone can be used to inform about the breach. The notice should be written in easy-to-understand, plain language showing all the respect towards the customers. The notice should contain a brief description of the incident and inform that patients of the exact date of the breach and the date it was discovered. By presenting these dates, customers will be reassured that the violation was found within the first 24 hours of its occurrence; therefore proper and immediate measures were taken to handle the situation. Those affected should also be informed of the steps the organization has taken to protect themselves from possible harm, as a result of the breach, as well as the steps that the organization is taking to investigate the breach, reduce harm to patients, and protect against any potential future breaches of PHI. In addition, individuals should be provided with the organization’s email address, postal address, or a toll-free telephone number so the individuals can contact the organization and find out everything they need to know about this breach. That way, they will feel reassured, that they are respected, and that the organization is doing everything humanly possible to maximize their security procedures with stringent security policies and the implementation of sophisticated technologies, in order to prevent future breach attempts.

Notifying the Media

According to the HITECH Act, if a breach involves more than 500 individuals, the covered entity should notify the media. That said; in the form of a press release, the organization should notice the media and include the same content as in the notice they have sent to the individuals.

Action Plan to Prevent a PHI Breach

It is suggested that the health organization revises the procedures and policies regarding PHI storage and maintenance. Installing a new security system, as a means to improve physical security is also advised. Additionally, records could be relocated to more secure areas while adopting encryption technologies and new password-protected systems. The workforce members that handle PHI should be trained or retained.
There should be penalties and sanctions on workforce members that violate procedures and policies, such as unauthorized removal of PHI from the facility and unauthorized access to PHI. The organization’s business associate contracts should be revised and be more stringent in regards protecting confidential information. Finally, a new risk assessment and providing customers with free credit monitoring are also considered.


Protected Health Information breaches are not something new in the healthcare industry. It has occurred in the past and will probably occur in the future. When such a violation occurs, it puts the patients at risk of harm if their personal information end up in the wrong hands. Since the most common reason a PHI breach occurs is the theft of laptops that contain this information, organizations should implement stricter security measure, always encrypt their customers’ data, and protect their files with passwords while developing policies that would allow only authorized personnel to access the PHI with severe punishments if the safety procedures are not met. Both the Health Information Technology for Economics and Clinical Health Act and the Health Insurance Portability and Accountability Act Privacy Rule, have detailed information as per the notification and security measures that should be taken in case of a PHI breach and to prevent one, which should be closely adhered to, in order to avoid unwanted instances that cause chaotic and stressful occurrences and public agony. Finally, those affected by a PHI breach, should be informed and reassured that the proper steps are taken to resolve the issue and avoid future attempts.


Clause SL, Triller DM, Bornhorst CPH, Hamilton RA, Cosler LE. Conforming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy. 2004; 61(10):1025–1031.
HHS (n.d). Health Information Privacy. U.S. Department of Health and Human Services. Retrieved Feb. 14, 2015 from: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
Licastro, Lauren (2012). HIPAA/HITECH Enforcement Action Alert. The National Law Review: Morgan, Lewis & Bockius LLP. Retrieved Feb. 15, 2015 from: http://www.natlawreview.com/article/hipaahitech-enforcement-action-alert
McCann, Erin (2012). Slideshow: 10 biggest HIPAA data breaches in the U.S. Healthcare IT News. Retrieved Feb. 15, 2015 from: http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches-united-states?page=9
Melamedia (2015). HIPAA & Breach Enforcement Statistics for February 2015. Health Information Privacy/Security Alert. Retrieved Feb. 15, 2015 from: http://www.melamedia.com/HIPAA.Stats.home.html
Office for Civil Rights (2011). Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2009 and 2010. Retrieved Feb. 15, 2015 from: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachrept.pdf

Cite this page
Choose cite format:
  • APA
  • MLA
  • Harvard
  • Vancouver
  • Chicago
  • ASA
  • IEEE
  • AMA
WePapers. (2020, November, 13) Example Of Breaches Of Protected Health Information Essay. Retrieved May 24, 2024, from https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/
"Example Of Breaches Of Protected Health Information Essay." WePapers, 13 Nov. 2020, https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/. Accessed 24 May 2024.
WePapers. 2020. Example Of Breaches Of Protected Health Information Essay., viewed May 24 2024, <https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/>
WePapers. Example Of Breaches Of Protected Health Information Essay. [Internet]. November 2020. [Accessed May 24, 2024]. Available from: https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/
"Example Of Breaches Of Protected Health Information Essay." WePapers, Nov 13, 2020. Accessed May 24, 2024. https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/
WePapers. 2020. "Example Of Breaches Of Protected Health Information Essay." Free Essay Examples - WePapers.com. Retrieved May 24, 2024. (https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/).
"Example Of Breaches Of Protected Health Information Essay," Free Essay Examples - WePapers.com, 13-Nov-2020. [Online]. Available: https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/. [Accessed: 24-May-2024].
Example Of Breaches Of Protected Health Information Essay. Free Essay Examples - WePapers.com. https://www.wepapers.com/samples/example-of-breaches-of-protected-health-information-essay/. Published Nov 13, 2020. Accessed May 24, 2024.

Share with friends using:

Related Premium Essays
Other Pages
Contact us
Chat now