What is a PHI Breach (Protected Health Information Breach)?

A PHI breach, or protected health information breach, occurs when there is unauthorized access, use, or disclosure of individually identifiable health information held or transmitted by a healthcare organization or its business associates.

In the U.S., personal health information (PHI) - whether in electronic, paper, or oral form - is protected by the Health Information Technology for Economic and Clinical Health Act and the Health Insurance Portability and Accountability Act (HIPAA).

Why is the Healthcare Sector Vulnerable to Data Breaches?

The healthcare sector has become a popular target for criminal, financially motivated cyberattacks in recent years. One reason is that PHI cannot easily be canceled or changed, unlike illegally appropriated personal electronic financial information such as credit cards and bank account numbers.

The persistence of PHI is what criminals and others who hack into health data, or physically steal printed information or stored data, are after. Additionally, PHI is valuable because it is contained within a historical electronic record that not only includes health details but also other types of valuable data, such as date of birth, Social Security number, and financial information like credit card numbers.

Attackers who can get their hands on this data can potentially misuse it to commit Medicare or other medical fraud. Other criminal motives for attempting PHI breaches include identity theft, insurance scams, and financial exploitation.

How Does HIPAA Define a PHI Breach?

According to the HIPAA Breach Notification Rule (45 CFR § 164.400-414), a breach is "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."

The definition of a PHI breach under the HIPAA Breach Notification Rule does not hold only in three cases: HIPAA also differentiates between a HIPAA breach and a HIPAA violation.

What are the HIPAA Breach Notification Requirements?

The HIPAA Breach Notification Rule requires that Covered Entities (CEs) notify affected individuals, either in written form or using email, no later than 60 days following discovery of the breach.

The notification must include certain details, such as:

  • the type of information involved
  • all dates associated with the event
  • a description of what happened
  • a copy of any relevant law or policy
  • a statement about protection and steps to be taken by the covered entity to protect the individual's information
  • a contact person who can provide more information on this breach.

A CE must also provide a toll-free phone number that remains active for at least 90 days to help individuals learn if their PHI was involved in the breach.

Penalties for Violating HIPAA Breach Notification Rule

HIPAA CEs must follow the breach notification rules, particularly around timelines. Otherwise, they might incur financial penalties from the HHS' Office for Civil Rights (OCR).

Several healthcare organizations have incurred hefty penalties imposed by the HHS OCR.

Preventing PHI Breaches

The number of healthcare data breaches has increased year-on-year between 2009 and 2024. Large-scale breaches affecting over 500 individuals are on the rise, with 60 million records breached in 2021, 168 million in 2023, and 275 million in 2024.

Strategies for Healthcare Organizations to Minimize PHI Breaches

Some strategies that healthcare organizations can adopt to minimize the potential for PHI breaches include:

  • Implementing multifactor authentication and advanced perimeter monitoring technologies
  • Deploying identity monitoring tools
  • Training employees about ransomware and other threats, as well as adopting good digital hygiene practices such as keeping software updated and never clicking on links inside unsolicited emails.
  • Implementing comprehensive policies to determine who can access PHI, how they can use it, and to whom they can disclose it

The Importance of Risk Assessments Following a PHI Breach

Per the HIPAA Breach Notification Rule, any impermissible use or disclosure of PHI is considered a breach, and the CE must notify all affected individuals and other parties about the incident.

The only way the CE can avoid sending these notifications is by demonstrating that the incident was not a breach. To do so, the CE must perform a risk assessment based on at least four factors:

Factors to Consider in Risk Assessments

  • PHI breaches are an ongoing issue for the healthcare industry.
  • The number of records exposed, stolen, or impermissibly disclosed has increased over the past few years.
  • Last year's major healthcare cyberattacks impacted millions, exposing vulnerabilities and underscoring the need for strong cybersecurity to protect patient data.

By understanding these strategies and following HIPAA guidelines, healthcare organizations can minimize the risk of PHI breaches and ensure that patients' sensitive information is protected.