This blog post was written by our guest blogger Al Tripodi, Healthcare Administrative Assistant at Research & Marketing Strategies (RMS).
Redspin, a leading provider of penetrating testing services and IT security audits, annually analyzes breaches that have been reported to the Department of Health and Human Services (DHHS). This blog provides a summary of findings published in their 2013 report released in February 2014.
HIPAA data breaches have climbed 138 percent from the number of patient records breached in 2012-2013 according to Redspin’s 4th Annual Report. A total number of 29,276,385 patient health records have been affected by a breach since 2009. The number of patient health records breached in 2013 alone was 7,095,145. Keep in mind that these numbers only include reported breaches that affected more than 500 patients and that were reported to HHS from August 2009 to December 16, 2013. Breaches that impacted less than 500 are reported to HHS on an annual basis but are not made available to the public.
Lisa Gallagher, Senior Director of Privacy and Security for HIMSS, said at the 2012 Boston Privacy Forum, that somewhere between 40 million to 45 million patient records have actually been compromised. The number can’t be confirmed, as the data isn’t all there, she adds, but it’s a more accurate number based on healthcare organizations’ reporting.
The percent of the total records breached in 2013 was 85.4% resulting from the 5 largest incidents. The top 5 were:
- #1-Advocate Medical Group where four laptops containing more than 4 million patient records were stolen on July.
- #2-AHMC Healthcare where thieves accessed a sixth-floor, video-monitored office to steal two laptops, which contained Medicare patient data from six AHMC hospitals in California affecting 729,000 people
- #3-Texas Health Harris Methodist Hospital Fort Worth where, in a bizarre incident, sheets of microfiche containing patient records from the ‘80s and ‘90s were found in several Fort Worth public areas that affected 277,014 people
- #4-Indiana Family & Social Services Administration where a computer programming error caused by a business associate wreaked havoc on Indiana FSSA’s client mailers affecting 187,533 people
- #5-Cogent Healthcare Inc., a transcription company, where patient medical treatment history was compromised when a business associate stored data on a non-secure site opening up public access to the records of 32,151 people for more than a month.
From the same report:
- 83.2% of patient records breached in 2013 resulted from theft
- 22.1% of breach incidents in 2013 resulted from unauthorized access
- 35% of incidents in 2013 were due to the loss or theft of an un-encrypted laptop or other portable electronic device
- Less than 20% of PHI breaches have involved a business associate each year from 2009-2013.
Under the new HIPAA Final Omnibus Rule, covered entities and business associates responsible for violating HIPAA privacy and security rules by failing to safeguard patient protected health information could face a potential of up to $1.5 million in annual fines. Out of the more than 90,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.
To prevent audits, this is what you can and should be doing:
- Risk Assessments, encrypting of end-user devices and contingency planning are likely the key areas that auditors will be examining. HIPAA-covered entities most often make their biggest misstep due to risk analysis inadequacies. This applies to business associates and covered entities alike. It’s the “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis,” HHS’ Office for Civil Rights Director Leon Rodriguez said. Based on the complaints OCR has received, risk analysis failures top the list for the biggest security issues.
- A majority of reported breaches involve lost or stolen devices that are not encrypted. The best thing you can do for your practice is to be sure that you are using encryption software on all of your devices.
- Finally, make sure that you have a Contingency Plan in place and that you are following the plan.
In summary, PHI breaches will continue to be reported at an exponential rate, and no question that physician practices, hospitals, health plans as well as business associates are working diligently to mitigate risks for exposure. As technology continues to advance, so must vigilant efforts to protect patient data.
RMS Healthcare can provide consultation and training services to ensure HIPAA Privacy and Security Compliance within your organization. If you would like to learn more about HIPAA Privacy and Security Compliance or further discuss how RMS Healthcare can help you, contact our Director of RMS Healthcare Susan Maxsween at SusanM@RMSresults.com or by calling 1-866-567-5422.
Breaches of Protected Health Information (PHI) will continue to happen until both Covered Entities and Business Associates get serious about putting in place the necessary controls for ensuring the safety and security of PHI. It means developing comprehensive HIPAA policies and procedures, undertaking annual security awareness training and risk assessments, and many other critical activities. Sure, budgets are tight and margins are thin in today’s competitive business landscape, but what business do you have if PHI is breached and seriously compromised? I think most companies truly want to do all they can in protecting PHI and becoming HIPAA compliant, but it just seems overwhelming at first because of the massive amount of policies, procedures, and processes that need to be in place. My advice; take a deep breath, find an experienced HIPAA consultant, get a hold of some quality HIPAA policy templates and begin the process. You’ll get there!