Niam Yaraghi
Nonresident Senior Fellow - Governance Studies, Center for Technology Innovation
Ram Gopal
GE Capital Endowed Professor of Business - University of Connecticut’s School of Business
In 2013, the U.S. Department of Health and Human Services made a significant change to the nation’s health care privacy law by finalizing the omnibus rules of the Health Insurance Portability and Accountability Act (HIPAA). The new rules expanded coverage of HIPAA to include business associates of health care providers, holding them to the same compliance standards as the providers themselves. Previously, business associates such as accounting firms, technology consultants, and others that have access to individuals’ personal health information, were not subject to civil or criminal penalties for violating HIPAA.
In a new study, Niam Yaraghi and Ram Gopal use data on breach incidents occurring in the years before and after the rules change to analyze its effect. Their results, visualized below, show that implementation of the omnibus rules led to a significant reduction in the number of privacy breaches among business associates, preventing 165 breaches that could have affected nearly 17 million Americans.
Medical Data Breaches, By Year
Since 2010, 1,819 data breaches affecting 500 or more patients have occurred in the U.S. originating from both health-care providers and their third-party business associates. In 2013, new HIPAA regulations required business associates to put in place safeguards to protect patient information. The rules have prevented an estimated 165 breach incidents among business associates. OCR announced the HIPAA omnibus rules on January 25, 2013. These rules became effective March 26, 2013, with compliance required by September 23, 2013.
Individuals affected by medical data breaches
Implementation of the HIPAA omnibus rules coincided with a spike in the number of privacy breaches in the health care market. Based on this observation, one could argue that had the omnibus rules not been in place, we would have observed a similar spike in the number of privacy breaches among business associates. In other words, implementation of the rules has dampened the effects of an otherwise powerful driver of privacy breaches.
| 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017* | Total | |
| Healthcare organizations | 4M | 4.2M | 1.7M | 5.9M | 4.3M | 109M | 13.1M | 44K | 142.7M |
| Business associates | 1.5M | 8.9M | 1.1M | 1M | 8.4M | 3.9M | 3.6M | 0 | 28.6M |
| Total | 5.5M | 13.1M | 2.8M | 6.9M | 12.7M | 113.2M | 16.6M | 44K | 171.3M |
*Through March 1, 2017
Total individuals affected by medical breach type between 2010–2016*
More than 171 million Americans have had their privacy jeopardized by health care data breaches in the past seven years. The most common kind of data breach (13.8%) was the result of Theft, though more people were affected by Hacking/IT incidents, which can threaten the privacy of more individuals at one time.
-
Hacking/IT Incident
128.6M -
Theft
23.5M -
Loss
8M -
Unauthorized Access/Disclosure
6.7M -
Other/Unknown
3.2M -
Improper Disposal
961K
*Some data breaches fall into multiple categories
Related
