History can be useful in guiding our future actions, and it’s generally considered wise to learn from past mistakes. Healthcare providers have an advantage here, because we can learn from the HIPAA violations of others to avoid similar pitfalls and penalties. This article explores the most common violations reported in 2014 and provides insight for preventing them in your own organization.
Last year in the healthcare industry, nearly five million records were affected by 75 data breaches, according the Privacy Rights Clearinghouse, which has collected such information since 2005.
Thanks to the widespread adoption of electronic health records, 93 percent of those five million records were in electronic form.
Healthcare is right on trend with other U.S. industries, including financial, education and retail, who reported that 99 percent of their affected records were electronic.
In the same way that customers, depositors, investors and other individuals trust organizations to safeguard their personal information, patients trust their healthcare providers to do the same. In addition to electronic protected health information, or ePHI, the data they trust us with often includes credit card and personal information.
Clearly, it is vital to effectively secure and protect ePHI as well as other sensitive information you collect in the course of managing your practice and providing healthcare services.
Of the 75 breaches of healthcare data in 2014, the unintentional disclosure of PHI or other personal information accounted for 23 percent – the lion’s share of last year’s data breaches.
Unintentional disclosure of PHI can occur in a number of ways, as we’ll see, and there are two HIPAA Privacy Rule regulations that bear strongly on such disclosure. One is 45 CFR 164.502(a)(1)(iii), which covers ‘Incidental Uses and Disclosures.’ It allows certain incidental uses (of PHI) that occur as a by-product of another permissible or required use or disclosure (of PHI) as long as the covered entity has applied reasonable safeguards and implemented the ‘Minimum Necessary’ standard.
The Minimum Necessary Standard, described in 45 CFR 164.502(b) and 164.514(d), requires covered entities to take reasonable steps to limit the use or disclosure of PHI to the minimum disclosure necessary to accomplish the intended purpose.
How Unintended Disclosure Occurs and How to Avoid It
Following are examples of unintentional disclosure covered by the HIPAA Security Rule. As you read, consider which of them may be occurring in your organization.
Patient information can be accessed or viewed by staff who, based on their job or title, have no valid reason to view that information (i.e., they do not ‘need to know’).
Computer screens can be viewed from common or public areas, and/or do not use screensavers, screen protectors or time-outs.
Staff conversations can be overheard by patients or other staff who do not ‘need to know.’
Patient bills or information have been accidentally mailed to the wrong patient or address, or prescriptions have been mistakenly faxed or emailed to an address other than the pharmacy.
Employees are able to visit unsecured websites, which can install malware on computers to siphon off patient data for sale on the black market.
Employees are unaware of the danger of clicking links in emails they receive from unknown or non-professional sources, which includes allowing hackers to gain entry to your systems or malware to be installed.
Multiple office staff use the same password to access the computer or EHR system.
Have you put reasonable safeguards in place to prevent these types of unintentional disclosure? And have you implemented the Minimum Necessary standard throughout your organization? If not, these findings will be called out in your next annual HIPAA Security Risk Assessment, and it is unlikely that you will pass an audit until they are resolved.
Actions you can take to prevent the above vulnerabilities include:
Assign levels of access to systems and PHI based on each employee’s role and resultant need to know
Establish system access based on login credentials unique to each user (this will also enable you to track user access to PHI)
Move computer screens and other visible sources of PHI away from public and common view
Activate screensavers and screen time-outs
Restrict access to external websites.
It is also mandatory to train, and regularly remind/retrain, all staff on privacy and security measures they must observe for HIPAA compliance and patient protection.
Loss or Theft of Portable Devices
Close behind Unintentional Disclosure as the cause of most healthcare data breaches in 2014, the loss or theft of portable computing devices was responsible for 21 percent of breaches reported to the Privacy Rights Clearinghouse.
These devices include smartphones, tablets and laptops as well as portable data storage and transfer devices such as CDs and thumb-drives. They can be inadvertently left behind somewhere or misplaced and never found. Or they can be spotted by someone who can’t resist the temptation to lift an easy target.
The PHI or other data that resides on any of these devices is vulnerable if it has not been properly safeguarded, as is the case with any of the following:
- Missing password-protection or missing encryption
- Security protections that are out-of-date or have not been turned on
- Security measures that are residential-grade rather than designed for commercial or enterprise use
- Devices that do not permit data to be wiped remotely in case of loss or theft.
- Devices that regularly auto-connect to an unsecured public Wi-Fi hot spot, such as a coffee shop or restaurant, are also vulnerable to opportunistic data thieves.
Beyond HIPAA Compliance
HIPAA Privacy and Security Rules were enacted, and are vigorously enforced, for a multitude of good reasons. The fact is, however, that your organization needs to secure its ePHI and associated computing and storage devices not only for HIPAA compliance purposes – but also to preserve your patients’ trust, avoid fines and unwanted publicity, and enjoy some much-needed peace of mind.
Gail Blount is communications manager for JDL Technologies (www.jdltech.com), and has worked in the information technology industry for eight years, including five in cybersecurity. She created an award-winning eBook explaining the Florida Information Protection Act of 2014 and its impact on healthcare IT. Contact Gail at email@example.com.