What counts as a patient information breach?

Arizona saw nearly 80,000 patient records breached in the first half of 2019 alone. Despite everything health care professionals do to lock up patient information, some experts say data safety is in crisis.

In the future, more people will likely get all the information they need when they need it. But more points of access can make it harder to tell a breach from business as usual.

What is a data breach?

Consider the basic idea of patient data security from the U.S. Department of Health & Human Services (HHS):

• We should protect some information with, for example, passwords.
• We should permit only certain kinds of people to do only certain kinds of things with such information.

So, a data breach is simply an impermissible use of protected information. It is the wrongful use of data by the wrong person.

In health care, the data might be about your health history, social security number, contact information and your payment information. It can also be information that hurts security itself, including the organization’s passwords, procedures and tools for preventing future breaches.

What if the breach is harmless?

What if a trustworthy but unauthorized person accidentally saw the private data? Or what if someone accidentally put it on the web without a password for a while, but nobody seemed to visit the website during that time?

The rule at HHS is the event is a breach. But if the business shows it is unlikely any harm was done, the HHS can change its mind. Showing this could involve a mix of factors:

• The kind and amount of depth of the information, including how well it can personally identify people.
• Who could see or use the information.
• Whether they saw or used the information.
• How well the organization then reduced the data risk.

The HHS may not assume it was a breach in situations such as:

• Someone saw the data accidentally while honestly trying to do their job.
• One person allowed to see the data accidentally shared it with another person authorized to see similar information, and they broke no other rules.
• The person who saw the data is almost certainly could not remember or save it.

The business must notify the affected customers, the media and the HHS within 60 days after they discover the breach.