A HIPPA breach refers to any use, disclosure or acquisition of health information in a manner that is not compliant with the standards set by HIPAA. These breaches come in many shapes and sizes and may violate HIPAA’s security, administrative, or technical safeguards (or all three). Some of the more common violations for small businesses are:
- Failure to adhere to the authorization expiration date: Patients can set a window of time in which their records may be transferred to an authorized party. Transferring any electronic protected health information (e-PHI) after this window is in direct violation of HIPAA.
- Releasing information to a non-authorized party.
- Snooping: These types of violations are due to company employees entering the system and viewing protected records of others, usually co-workers or family members.
The most common, and most lethal, HIPAA violation is the unprotected storage and maintenance of electronic medical records and other electronic data. The following risky scenarios are all too common, especially among small businesses and private practices:
- A stolen laptop
- Inadequate data backup (i.e. portable hard drive, thumb drive, etc. )
- Unsecured email servers
These scenarios can compromise your e-PHI and bring HIPAA authorities knocking, uninvited, at your door.
How Often Does a HIPAA Breach Occur Among Small Businesses?
Data breaches happen much more often than you’d expect. When you look at the rates of data theft of small businesses, the statistics are alarming.
“In 2010, the U.S. Secret Service and Verizon Communication Inc.’s forensic analysis unit, which investigates cyber attacks, reported 761 data breach cases, up from 141 in 2009. Of those, 48, or 63%, were at companies with 100 employees or fewer. Visa also estimates that about 95% of the credit-card data breaches it discovers are on its smallest business customers.”
Furthermore, a Ponemon Institute survey for insurer Hartford Steam Boiler found that 55% of small businesses had a data breach and of those, 53% had multiple breaches. One case in the study showed a computer hacker who stole nearly 20,000 credit cart records from customers of an online retailer.
What are the Ramifications?
According to the Omnibus Rule, the penalty for a HIPAA breach can range from $100 to $50,000 for each violation, with repeated violations causing an exponential increase in expense, so these should be avoided at all costs (See the full table below).
| VIOLATION TYPE | EACH VIOLATION | REPEAT VIOLATIONS/YR |
| Did Not Know | $100 – $50,000 | $1,500,000 |
| Reasonable Cause | $1,000 – $50,000 | $1,500,000 |
| Willful Neglect – Corrected | $10,000 – $50,000 | $1,500,000 |
| Willful Neglect – Not Corrected | $50,000 | $1,500,000 |
How Small Businesses Can Protect Themselves
The loss or compromise of e-PHI is all too common, and can happen to any business, regardless of size. A HIPAA Compliant data hosting company can protect your business from data loss and the ensuing HIPAA penalties.
- HIPAA Compliant Hosted Servers – (Public, Hybrid Cloud)
- HIPAA Compliant Dedicated Servers
- HIPAA Compliant Server Co-Location
- Hosted HIPAA Compliant Exchange Email
- Managed Services
- Secure, Reliable Platform
HIPAA requirements are only going to intensify over time so you need a dedicated provider by your side to ensure continued protection.