Healthcare data breaches continue to climb, with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) tracking a consistent rise in cases since 2009. Notable breaches, such as Anthem Inc.’s 2015 incident that exposed nearly 79 million patient records and the more recent breach involving Change Healthcare, show the risks healthcare organizations face.
With cybercriminals constantly changing their tactics, healthcare organizations must take steps to strengthen their security and compliance measures. According to Kyle Helles, partner at BARR Advisory, a proactive, risk-based approach is beneficial to preventing unauthorized disclosure of protected health information (PHI) and maintaining patient trust.
How to prevent unauthorized disclosure of PHI
To protect patient data, organizations need to start by assessing their risks and creating policies that address those risks. According to Helles, risk assessments are at the core of a strong security program.
“Effective controls begin with assessing the risks within your organization and creating policies that address those risks,” he explains. “Healthcare organizations need to include HIPAA as an input to their risk assessments and determine if their existing policies and procedures meet each HIPAA requirement and mitigate related risks.”
In addition to risk assessments, Helles says organizations need clear policies that cover access safeguards, response procedures for privacy breaches, and ongoing HIPAA training for employees. Proactive security measures—like encryption, access controls, and audit logs—can also reduce the chances of unauthorized disclosure.
Read also: Preventing HIPAA violations
The role of staff training in HIPAA compliance
While policies and security measures are fundamental, employees are often the first line of defense. Many data breaches happen because of human error, which makes staff training one of the most effective ways to reduce risks.
Helles discusses that training should be practical, not theoretical. “HIPAA training is absolutely critical,” he says. “Training programs that translate HIPAA requirements into plain language, and that enforce understanding through exercises, will always be best.”
Organizations should offer training in multiple formats to meet different learning styles—whether through workshops, online courses, or visual aids. The goal is to ensure that employees fully understand how to protect patient data and what their role is in maintaining compliance.
How breaches impact patient trust—and what to do after one happens
A breach doesn’t just expose sensitive information—it also damages patient trust. According to Helles, how an organization responds to a breach can make all the difference in whether that trust is rebuilt or permanently lost.
“Data breaches are now a part of everyday life; people are used to the idea that the organizations they interact with are frequently targeted by cybercriminals,” he explains. “It’s how organizations prepare for and respond to those breaches that sets them apart.”
Helles suggests that organizations act quickly to contain the breach, securely restore their systems using backup protocols, and communicate openly with patients and stakeholders about what happened and what they’re doing to fix it. Transparency during the response process helps rebuild trust.
Go deeper:
Lessons from past breaches
Looking at major breaches in healthcare, Helles says there’s a recurring theme: waiting until after a breach to take action doesn’t work.
Many organizations only start to create policies or training programs in place after an incident occurs. But with cybercriminals attacking around the clock, waiting is no longer an option.
“In the world we live in, where systems are being targeted by cybercriminals around the clock, why wait?” he says.
Moving forward
With healthcare organizations facing constant cyber risks, prevention needs to be a priority. Regular risk assessments, comprehensive staff training, and transparent communication with patients can go a long way in reducing the risk of breaches and maintaining trust. Learning from past breaches and taking steps to strengthen security posture helps organizations create a culture that prioritizes both data protection and patient confidence.
“Cybercriminals don’t take breaks, and neither should your security measures,” Helles says.
FAQs
Can healthcare organizations be penalized even if no patient harm occurs during a breach?
Yes. The Department of Health and Human Services (HHS) can impose penalties for HIPAA violations even if no patient suffers direct harm. Fines are based on factors such as the organization's negligence, the size of the breach, and how quickly the issue is addressed after discovery.
How can healthcare providers handle third-party vendor risks under HIPAA?
Healthcare providers must ensure that the vendors who access or process protected health information sign Business Associate Agreements (BAAs). Beyond that, organizations should monitor these vendors regularly and verify that they follow appropriate security measures to prevent third-party breaches.
What types of security incidents need to be reported under HIPAA?
HIPAA requires reporting any incident that results in unauthorized access, use, disclosure, or loss of protected health information. This includes not just cyberattacks, but also lost or stolen devices, accidental disclosures, and insider threats. Failing to report an incident can result in increased penalties.
How can smaller healthcare organizations with limited budgets strengthen their HIPAA compliance?
Smaller organizations can prioritize affordable measures such as regular employee training, using secure email solutions, and implementing access controls. They can also outsource IT security to third-party providers who offer managed HIPAA compliance services, reducing the burden of in-house management.
Farah Amod
