HIPAA resource center

HIPAA requires security measures primarily to prevent breaches of protected health information (PHI). A breach is the theft, loss, or unauthorized access of PHI. When clinicians breach PHI, the law requires notification of both patients and HHS.

What causes breaches

Most breaches are caused by human error and involve failure to set or follow proper policies. Malware controlled by cybercriminals has also become a significant threat.

Unfortunately, merely losing control of unsecured PHI counts as a breach under the law. For example, if a thief steals an unencrypted practice laptop that contains patient records, this counts as a breach even if there is no evidence anyone ever accessed the records. HHS still holds the practice responsible for the breach even though it was the victim of a crime.

Importantly, federal regulations exempt encrypted data from breach reporting. So if a thief steals an encrypted practice laptop, the practice does not have to report the loss to HHS or patients. Instead, the practice simply notes the lost laptop in their security documentation. Encrypting all devices that access PHI is one of the best steps a practice can take to protect itself from breaches.

Why breaches matter

Breaches have become common in health care. Part of the reason is that PHI is valuable to cybercriminals. Medical records contain a wealth of personal information that enables identity theft and other cybercrimes.

Breaches can cause patients stress and financial hardship, and they can be devastating for medical practices. Large breaches trigger HHS investigations, which often uncover violations apart from those involved in the breach. HHS can assess fines of up to $1.5 million for each violation, and legal and administrative costs can drive the total cost of a single breach to several million dollars.

Reporting a breach

If a practice suffers a breach, it must send a letter to each patient impacted within 60 days, whatever the number of records breached. The letter should describe the breach and explain how the practice will mitigate the impact. For example, many organizations provide a year of credit monitoring to individuals whose information has been compromised.

If the breach involves fewer than 500 records, the practice must report it to HHS within 60 days of the end of the calendar year. Small breaches usually do not trigger HHS investigations, and they are not publicized by HHS.

If the breach involves 500 records or more, the practice must report it to HHS within 60 days of when the breach was discovered. HHS will then post a public notice of the breach on its reporting portal. The practice must also inform local media.

If the number of individuals affected by a breach is uncertain at the time of submission, you should provide an estimate, and if you discover additional information, submit updates via the same electronic notification process.

Cybersecurity tips



Set security policies

on how PHI may be accessed and handled. Train staff on your policies and ensure they are followed.

Implement access controls

Only authorized personnel should have access to PHI, based on role. Set unique logins with passwords or PINs.

Log access to PHI

and set policy to ensure you actually check the access logs on a regular basis. EHR software typically logs access to records. However, many breaches have gone undetected for months because no one checked the log. Ensure there are clear expectations around who checks the log and how often.

Secure networks

Work with IT specialists to set up secure networks protected by firewalls. Consider implementing an intrusion prevention system (IPS) or other measures to detect unauthorized access.

Require encryption

of all devices that store PHI. Remember that this applies to desktop and laptop computers, but also potentially tablets, phones, removable drives, and even digital audio recorders, if these devices contain PHI.

Set timeout

Set computers and other devices that access PHI to timeout, requiring a new login after a designated period of inactivity.

Set permissions

Set proper permissions on hardware, so staff cannot install programs that might compromise network security.

Install and regularly update anti-virus software

on all computers that have access to PHI. Keep sensitive applications and hardware updated with security patches.

Train staff on phishing emails

which are used by cybercriminals to infect recipients with malware. Phishing emails typically imitate a trusted sender and call for urgent action from the user.

If you have suffered a cyberattack

you should take mitigation measures and work with IT specialists to restore systems. In addition to required breach reporting, report cybersecurity incidents to the National Cyber Awareness System (NCAS) and the FBI’s Internet Crime Complaint Center.

Multi-factor authorization (MFA)

Consider multi-factor authorization (MFA) and single-sign on (SSO) for access to sensitive applications and data.

Set strong password policies

and train staff on these requirements. Passwords should never be based on personal information. While use of special characters and numbers in passwords can help, new guidance advises that password length is the most important factor. A common strategy is to base your password on some phrase that is memorable to you. For example, the phrase “a long walk to the corner laundry” can become the password “alongwalktothecornerlaundry.” Even though the password contains only lower case letters and common words, it is 27 characters long. It is more difficult for machines to guess long passwords.

For more information on cybersecurity tips, check out our recommendations for securing mobile devices.

Get expert compliance help

Find training guides to help you and your staff comply with HIPAA, CLIA, and more in the AAD Store.

Shop now

Related Academy resources