Profiles in patient privacy protection

In 2013, the U.S. Department of Health and Human Services made a significant change to the nation’s health care privacy law by finalizing the omnibus rules of the Health Insurance Portability and Accountability Act (HIPAA). The new rules expanded coverage of HIPAA to include business associates of health care providers, holding them to the same compliance standards as the providers themselves. Previously, business associates such as accounting firms, technology consultants, and others that have access to individuals’ personal health information, were not subject to civil or criminal penalties for violating HIPAA.

In a new study, Niam Yaraghi and Ram Gopal use data on breach incidents occurring in the years before and after the rules change to analyze its effect. Their results, visualized below, show that implementation of the omnibus rules led to a significant reduction in the number of privacy breaches among business associates, preventing 165 breaches that could have affected nearly 17 million Americans.

Medical Data Breaches, By Year

Since 2010, 1,819 data breaches affecting 500 or more patients have occurred in the U.S. originating from both health-care providers and their third-party business associates. In 2013, new HIPAA regulations required business associates to put in place safeguards to protect patient information. The rules have prevented an estimated 165 breach incidents among business associates. OCR announced the HIPAA omnibus rules on January 25, 2013. These rules became effective March 26, 2013, with compliance required by September 23, 2013.

HIPAA law change Healthcare Organizations Business Associates

Individuals affected by medical data breaches

Implementation of the HIPAA omnibus rules coincided with a spike in the number of privacy breaches in the health care market. Based on this observation, one could argue that had the omnibus rules not been in place, we would have observed a similar spike in the number of privacy breaches among business associates. In other words, implementation of the rules has dampened the effects of an otherwise powerful driver of privacy breaches.

	2010	2011	2012	2013	2014	2015	2016	2017*	Total
Healthcare organizations	4M	4.2M	1.7M	5.9M	4.3M	109M	13.1M	44K	142.7M
Business associates	1.5M	8.9M	1.1M	1M	8.4M	3.9M	3.6M	0	28.6M
Total	5.5M	13.1M	2.8M	6.9M	12.7M	113.2M	16.6M	44K	171.3M

^*Through March 1, 2017

Total individuals affected by medical breach type between 2010–2016^*

More than 171 million Americans have had their privacy jeopardized by health care data breaches in the past seven years. The most common kind of data breach (13.8%) was the result of Theft, though more people were affected by Hacking/IT incidents, which can threaten the privacy of more individuals at one time.

Hacking/IT Incident
128.6M
Hacking/IT Incident Top 5:
1. 78.8M, 03/13/2015Anthem, Inc. Affiliated Covered Entity, IN
2. 11M, 03/17/2015Premera Blue Cross, WA
3. 10M, 09/09/2015Excellus Health Plan, Inc., NY
4. 4.5M, 07/17/2015University of California, Los Angeles Health, CA
5. 3.9M, 07/23/2015Medical Informatics Engineering, IN
Theft
23.5M
Theft Top 5:
1. 4.5M, 08/20/2014Community Health Systems Professional Services Corporation, TN
2. 4M, 08/23/2013Advocate Health and Hospitals Corporation, IL
3. 1.7M, 02/11/2011GRM Information Management Services, NJ
4. 1.2M, 06/03/2010AvMed, Inc., FL
5. 1M, 11/01/2010BlueCross BlueShield of Tennessee, Inc., TN
Loss
8M
Loss Top 5:
1. 4.9M, 11/04/2011Science Applications International Corporation, VA
2. 1M, 10/07/2011The Nemours Foundation, FL
3. 800K, 07/19/2010Iron Mountain Data Products, Inc., PA
4. 483K, 02/12/2016Radiology Regional Center, FL
5. 75K, 11/10/2014Visionworks Inc., TX
Unauthorized Access/Disclosure
6.7M
Unauthorized Access/Disclosure Top 5:
1. 2M, 09/10/2014Xerox State Healthcare, LLC, TX
2. 652K, 08/12/2016Bon Secours Health System Incorporated, MD
3. 475K, 11/04/2010Puerto Rico Department of Health – Triple S Management Corp.
4. 308K, 10/03/2014Touchstone Medical Imaging, LLC, TN
5. 228K, 04/24/2012Department of Health and Human Services, SC
Other/Unknown
3.2M
Other/Unknown Top 5:
1. 1.9M, 04/14/2011IBM, NY
2. 315K, 04/18/2012Emory Healthcare, GA
3. 188K, 07/01/2013RCR Technology Corporation, IN
4. 160K, 12/15/2014Walgreen Co., IL
5. 84K, 04/05/2010Providence Hospital, MI
Improper Disposal
961K
Improper Disposal Top 5:
1. 277K, 07/11/2013Shred-it International Inc., TX
2. 189K, 05/07/2013Digital Archive Management, TX
3. 114K, 01/25/2016Community Mercy Health Partners, OH
4. 55K, 11/02/2011Lebanon Internal Medicine Associates, PA
5. 50K, 06/04/2015Lancaster County EMS, SC

^*Some data breaches fall into multiple categories

Profiles in patient privacy protection

Subscribe to the Center for Technology Innovation Newsletter

Profiles in patient privacy protection

How HIPAA omnibus rules effectively reduced the number of data breaches among health care providers’ business associates

Niam Yaraghi and Niam Yaraghi Nonresident Senior Fellow - Governance Studies, Center for Technology Innovation @niamyaraghi Ram Gopal RG Ram Gopal GE Capital Endowed Professor of Business - University of Connecticut’s School of Business

Medical Data Breaches, By Year

Individuals affected by medical data breaches

Total individuals affected by medical breach type between 2010–2016*

Hacking/IT Incident

Theft

Loss

Unauthorized Access/Disclosure

Other/Unknown

Improper Disposal

Niam Yaraghi and Ram Gopal

Total individuals affected by medical breach type between 2010–2016^*