Why data mining is functionally required after a HIPAA breach

When a hacking-related breach hits a healthcare organization, the instinct is to focus on containment and recovery. But legally, that is only half of the response. 

Under the U.S. Health Insurance Portability and Accountability Act’s Breach Notification Rule, a parallel obligation kicks in almost immediately. To determine whether a breach must be reported and to whom, a covered entity must conduct a particularized risk assessment that answers specific factual questions about what data was involved, whether it was accessed, and how likely it is that affected individuals could be harmed. 

That detailed analysis is only possible through systematic data mining. While HIPAA does not mandate data mining by name, the level of particularity required by the rule effectively necessitates it in large-scale incidents.

The breach presumption: The burden of proof

The starting point is the definition of breach in 45 C.F.R. § 164.402. A breach is any acquisition, access, use or disclosure of protected health information that is not permitted under HIPAA's Privacy Rule and compromises the security or privacy of the protected health information. But the rule does not require regulators to prove a compromise occurred. Instead, § 164.402(2) establishes a presumption: Any impermissible access or disclosure is presumed to be a breach unless the covered entity can demonstrate a low probability of compromise.

To rebut that presumption, the covered entity must conduct a risk assessment addressing at least four enumerated factors. Get the assessment wrong or fail to adequately document it, and the presumption stands. The covered entity is then obligated to notify affected individuals, the Secretary of Health, Human Services, and, in large-scale incidents, the media.