**2. Patient information data breaches can lead to patient identity theft**

In the United States, citizens are protected by federal, state, and potentially smaller sub-state regulations. Each industry sector are potentially under unique legal and other sector-specific requirements. In fact, today most, if not all, states have different personally identifying information (PII) legislation. Historically, these laws are not well understood and are written in most cases by non-technical writers. As such, the legal and technical specifications have gaps both in understanding and in the feasibility of current technological constraints.

#### **2.1 Entities covered under HIPAA**

HIPAA requires at least three covered groups, referred to by the law as Covered Entities, to protect health information. Examples of covered entities are: healthcare providers, health Plans, and business associates. Healthcare providers transmit electronic patient information in connection with a Health and Human Services (HHS)-adopted standard transaction. Health plans include insurance companies, health maintenance organizations (HMOs), corporate health plans, and government programs. Business associates are external groups/organizations that perform activities or services on ePHI on behalf of another group covered

*Risk in Healthcare Information Technology: Creating a Standardized Risk Assessment Framework DOI: http://dx.doi.org/10.5772/intechopen.96456*

**Figure 1.** *OCR-covered entities investigated.*

under HIPAA. **Figure 1** [6] shows one year of reports by covered entity to the Office of Civil Rights (OCR).
