Profiles in patient privacy protection

How HIPAA omnibus rules effectively reduced the number of data breaches among health care providers’ business associates

Medical records clerk working in a community health center

In 2013, the U.S. Department of Health and Human Services made a significant change to the nation’s health care privacy law by finalizing the omnibus rules of the Health Insurance Portability and Accountability Act (HIPAA). The new rules expanded coverage of HIPAA to include business associates of health care providers, holding them to the same compliance standards as the providers themselves. Previously, business associates such as accounting firms, technology consultants, and others that have access to individuals’ personal health information, were not subject to civil or criminal penalties for violating HIPAA.

In a new study, Niam Yaraghi and Ram Gopal use data on breach incidents occurring in the years before and after the rules change to analyze its effect. Their results, visualized below, show that implementation of the omnibus rules led to a significant reduction in the number of privacy breaches among business associates, preventing 165 breaches that could have affected nearly 17 million Americans.

Medical Data Breaches, By Year

Since 2010, 1,819 data breaches affecting 500 or more patients have occurred in the U.S. originating from both health-care providers and their third-party business associates. In 2013, new HIPAA regulations required business associates to put in place safeguards to protect patient information. The rules have prevented an estimated 165 breach incidents among business associates. OCR announced the HIPAA omnibus rules on January 25, 2013. These rules became effective March 26, 2013, with compliance required by September 23, 2013.

HIPAA law change Healthcare Organizations Business Associates


Individuals affected by medical data breaches

Implementation of the HIPAA omnibus rules coincided with a spike in the number of privacy breaches in the health care market. Based on this observation, one could argue that had the omnibus rules not been in place, we would have observed a similar spike in the number of privacy breaches among business associates. In other words, implementation of the rules has dampened the effects of an otherwise powerful driver of privacy breaches.

Healthcare organizations4M4.2M1.7M5.9M4.3M109M13.1M44K142.7M
Business associates1.5M8.9M1.1M1M8.4M3.9M3.6M028.6M

*Through March 1, 2017


Total individuals affected by medical breach type between 2010–2016*

More than 171 million Americans have had their privacy jeopardized by health care data breaches in the past seven years. The most common kind of data breach (13.8%) was the result of Theft, though more people were affected by Hacking/IT incidents, which can threaten the privacy of more individuals at one time.

  1. Hacking/IT Incident

  2. Theft

  3. Loss

  4. Unauthorized Access/Disclosure

  5. Other/Unknown

  6. Improper Disposal


*Some data breaches fall into multiple categories