Breaches of Patient Confidentiality
Breaches of patient confidentiality – defined as disclosures of private information without the patient’s consent – occur more often than most people are aware of due to blind spots in reporting requirements and “information breaches of patients” – which are permitted by the HIPAA Privacy Rule and required by law in some states.
Although HHS’ Office for Civil Rights publishes an annual report which includes the total number of breach notifications it receives each year, it is impossible to accurately calculate how many breaches of patient confidentiality occur each year because of reporting failures, notifications that should be retracted, and reports made “in an abundance of caution”.
In addition, there are inconsistent interpretations of the HIPAA breach notification requirements, and occasions when information breaches of patients are permitted by HIPAA. It is also the case that some healthcare providers do not qualify as HIPAA covered entities, and breaches of patient confidentiality in their organizations are subject to state notification laws.
Reported Breaches of Patient Confidentiality
According to HHS’ Annual Report, the Office for Civil Rights (OCR) receives more than 60,000 HIPAA breach notifications per year. Around 1% of this total relates to data breaches affecting more than 500 individuals and details of these breaches of patient confidentiality are published online in the archive section of OCR’s Breach Report Portal.
By studying archived breach notifications, it is possible to identify occasions when HIPAA breaches have been reported even though no breach has occurred or when it is not possible to confirm a breach has occurred (the “abundance of caution” issue). It is not possible to tell how many breaches are not reported, or reported to a state agency instead of OCR.
5 Blind Spots in Breach Reporting Requirements
There are five main blind spots in breach reporting requirements which make it impossible to calculate how many breaches of patient confidentiality occur each year – reporting failures, inconsistent interpretations of the requirements, notifications that should be retracted, the abundance of caution issue, and accessing breach data maintained by state agencies.
Reporting Failures
It is rare that failures to report breaches of patient confidentiality are identified. However, in 2023, an audit of Connecticut’s Department of Social Services identified the failure to report a data breach affecting 58,943 individuals, while earlier this year an audit of Connecticut’s Health Insurance Exchange found a further three unreported data breaches.
Reporting failures are not necessarily attributable to willful neglect. For many years, uncertainties existed over whether ransomware attacks constituted a notifiable breach in patient confidentiality. HHS published guidance about notifying ransomware attacks in 2021. However, some of the guidance raises as many questions as it answers.
Inconsistent Interpretations
A significant factor in calculating how many breaches of patient confidentiality occur each year is inconsistent interpretations. Inconsistent interpretations of the breach notification requirements mean that one HIPAA covered entity will notify OCR of a patient confidentiality breach, while another covered entity will not consider the same breach notifiable.
This issue was highlighted in a survey conducted on 123 Privacy Officers who are members of the American Health Information Management Association (AHIMA). Depending on the scenario, the Privacy Officers’ education, and their prior experience of decision making, up to 61% of privacy Officers chose not to report a breach in patient confidentiality.
Notifications That Should be Retracted
When a suspected breach in patient confidentiality affects more than 500 individuals, HIPAA covered entities have to notify OCR of the breach with 60 days. Sometimes the 60 day limit does not provide enough time for the actual number of individuals affected to be identified – in which case an estimate is reported until such time as more accurate data is available.
However, in some cases, suspected breaches turn out not to be breaches at all but cyberattacks that were not successful in accessing Protected Health Information (PHI). In such cases, OCR breach notifications should be retracted from the Breach Report Portal, but dozens still remain – inflating the number of data breaches recorded in HHS’ Annual Report.
The Abundance of Caution Issue
The abundance of caution issue affects covered entities who can confirm that a breach in patient confidentiality has occurred, but cannot identify the scale of the breach. In some cases, only a handful of patient records may have been accessed (for example, from a single user’s email account), but the covered entity notifies its entire database.
While the abundance of caution issue does not affect the number of data breaches that occur each year (because a violation that jeopardized patient confidentiality has occurred), it affects the number of records counted in patient confidentiality breaches. Some “abundance of caution” notifications inflate the record count by hundreds of thousands.
Accessing Breach Data Maintained by State Agencies
States mostly exclude HIPAA covered entities from their breach notification requirements, but not all do. Also, some states only require electronic breaches to be reported (i.e., not paper or verbal breaches) or have high reporting thresholds. In many states, breaches are only notifiable when they affect more than five hundred individuals.
This means that many smaller breaches at healthcare organizations that do not qualify as HIPAA covered entities are not on the public record. In addition, because many states do not maintain publicly accessible Breach Report Portals it is impossible to cross-reference state breach notifications with breach notifications received by OCR.
Permitted Information Breaches of Patients
Some disclosures of private information without the patient’s consent are permitted by the HIPAA Privacy Rule and required by law in some states. Permitted information breaches of patients are covered by §164.512 of the Privacy Rule. These include disclosures required by law, disclosures for public health activities, and disclosures for judicial proceedings.
With regards to disclosures required by law, most states have laws that mandate disclosures of private information without the patient’s consent under certain circumstances. These circumstances include – but are not limited to – disclosures to report child abuse, domestic violence, elder abuse, or non-accidental injuries (i.e., knife injuries, gunshot wounds, etc.).
Examples of Breaches in Patient Confidentiality
Excluding notifications that should be retracted, the archive section of OCR’s Breach Report Portal currently contains more than five thousand examples of breaches in patient confidentiality. The most common cause of these breaches is Hacking/ IT Incidents, Unauthorized Access or Disclosure, and Loss/Theft of Devices.
Since 2021, The HIPAA Journal has produced monthly and annual reports containing examples of breaches in patient confidentiality and analyses of data breaches affecting more than 500 individuals. Visitors can access the reports – and a complete list of financial penalties issued by OCR – by clicking on the applicable link in the table at the top of this page.
Breaches vs. Violations in Patient Confidentiality
The terms breaches of patient confidentiality and violations in patient confidentiality are often used interchangeably – but there is a subtle difference between the two terms. Breaches of patient confidentiality in healthcare are defined as disclosures of private information without the patient’s consent for any reason, regardless of intent or outcome.
Violations in patient confidentiality are breaches attributable to the knowing and wrongful disclosure of individually identifiable health information under false pretenses and/or with the intention to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm in violation of §1177 of the Social Security Act.
Why Patient Confidentiality is Important in Healthcare
Patient confidentiality is important in healthcare because of the consequences of non-confidentiality. These consequences not only include civil monetary penalties issued by OCR and State Attorneys General – and an increasing number of private lawsuits – but also subsequent obstacles to the delivery of healthcare and the impact on patient trust.
With regards to private lawsuits, although HIPAA does not have a private right of action, individuals harmed by a breach in patient confidentiality can file lawsuits alleging violations of other federal or state laws. For example, a recent $12.25 million settlement for a patient confidentiality breach found Advocate Aurora Health in violation of federal and state wiretap laws, the California Invasion of Privacy Act (CIPA), and California state larceny law.
Obstacles to healthcare delivery following a patient confidentiality breach can include the reassignment of resources to ensure healthcare compliance, delays in treatment due to new procedures being introduced, and additional reporting requirements. Workforce members may also be unavailable to assist with the delivery of healthcare due to additional compliance training requirements.
However, the most important reason why patient confidentiality is important in healthcare is patient trust. Research shows that more than half of patients lose trust in the healthcare providers following breaches of patient confidentiality. This limits how much personal information they are willing to share – making it harder for healthcare providers to make accurate diagnoses and prescribe effective courses of treatment.
The inability to make accurate diagnoses and prescribe effective courses of treatment results in worse patient outcomes, higher readmissions, lower staff morale, and further treatment delays. In turn, this could lead to shortcuts being taken with data privacy and security, leading to further breaches of patient confidentiality. The ongoing consequences of a loss of patient trust demonstrate why patient confidentiality is important in healthcare.
