Don’t Join the HIPAA Data Breach ‘Wall of Shame’
Mike Semel
Semel Consulting
In compliance with the HIPAA Data Breach Notification Rule, more than 570 HIPAA data breaches of over 500 records have been reported since 2010, with over 21 million patient records lost. This information is posted on a federal website known informally as the HIPAA ‘Wall of Shame.’
All HIPAA data breaches are reportable. If you lose more than 500 records you have up to 60 days to notify the affected patients and report the loss to the US Department of Health Office for Civil Rights (OCR.) Smaller HIPAA data breaches require patient notification and must be reported to OCR on an annual report. California has evenstricter requirements.
Checking out the Wall of Shame confirms that many breaches are caused by the loss of laptop computers, desktop computers, and servers. Breaches have occurred with the loss of other data storage devices, backup tapes and drives, and improper use of e‑mail. Cell phones and tablets are listed as ‘other portable devices.’ Over 20% of the reported breaches have been caused by Business Associates.
Some of the HIPAA data breaches are criminal – selling patient information to personal injury attorneys—and some are simple human error—like setting an automatic envelope stuffer to insert four pages in each envelope instead of one page, providing each recipient with an unexpected surprise of three other medical records including names and Social Security numbers.
There is a lot to learn from this website and the breach notification rule. Do your employees know the civil and criminal penalties for breaching patient information? Health care institutions have implemented checklists and double- or triple-checks to ensure that the correct procedures are taking place. Have you implemented checklists and double-checks in your office to ensure that HIPAA data breaches are being prevented?
Encrypt Patient Data Everywhere, at rest and in transit
None of the breaches of electronic data would have been reportable if it the data had been encrypted (a ‘Get Out of Jail Free Card’ in the data breach reporting rule.) Some large breaches were caused when file servers were stolen, so don’t just think that laptops and other portable devices are targets. Remember that Electronic Protected Health Information (ePHI) includes any data file that contains a patient identifier plus any diagnosis or treatment information. These files can be in any form – written, images, or voice files. Get pricing on encrypting all of the devices that store ePHI and compare the cost to the $ 1.5 million fine last year for a single stolen unencrypted laptop, and the $ 1.7 million fine for a single stolen unencrypted hard drive.
Where is your data?
Think of your workflows. What medical devices send data to PC’s, servers, or connect to billing systems? How are your data backups transported off-site? Are doctors creating voice files on digital recorders to send to transcriptionists? Images can be anything including photos; X-rays, MRI’s, CAT scans, ultrasounds, scanned images, etc. Are voice messages and faxes being converted to e-mails? Are staff members e-mailing patient info to your remote offices or to other practices for referrals?