HIPAA breaches are serious business. Many of you specifically fear HIPAA breaches and the cloud. HIPAA breaches compromise the trust that you’ve established with patients or customers, they’re a PR nightmare, and they can be really expensive to remedy. So naturally, covered entities and their business associates have a big stake in safeguarding protected health information (“PHI”).
But breaches still occur—and all too frequently. Although many in the medical community fear that breaches are most likely to be the result of computer hacking, it turns out that such is not the case. I recently analyzed breaches affecting 500 or more individuals to determine where and why violations occur.
As background, I work for Software Advice, a company that talks to dozens of medical practices a day to help them find software, such as electronic health records (“EHRs”), that meets their needs. We review and recommend plenty of Cloud-based EHRs, and one concern that we hear over and over is this: Won’t storing records in the cloud make me more vulnerable to hacking?
According to my analysis, no. Of the 660 reported incidents, which have affected some 26.8 million individuals, only 8 percent involved hacking. And perhaps more telling, only 3 percent involved EHRs in any capacity.
In short, the idea that the cloud is inherently riskier than other storage methods doesn’t really hold water. So then, where are breaches occurring?
Here’s a look at the five biggest breaches in reported history, which give a good sense of the most common offenses:
As you can see, theft and loss are predominant. Backup tapes and unencrypted computers, servers, or laptops are also recurring themes. And although these breaches are just five of 660 incidents, the rest of the breach data shows similar trends.
The charts below break down type of breach and medium of breach for the entire data set.
Theft, loss, and unauthorized access or disclosure account for more than 75 percent of breaches. And paper and unencrypted electronic devices prevail among the types of storage breached. Good news and bad news show up here, and it’s actually the same news: the biggest issues are preventable.
It is bad news because it means that providers aren’t being cautious enough with data. “Loss” is a disconcerting category because it suggests a recklessness with PHI. To some extent, theft is preventable by exercising more caution, such as by not leaving patient records in the back of a parked car. More importantly, the risk of theft can be mitigated by applying encryption to electronic devices, so that, even if stolen, the information contained cannot be accessed. And unauthorized access or disclosure reflects poor training or adherence on the part of employees.
But it can also be good news, because it means that you can significantly decrease the likelihood of a breach by exercising more caution. My suggestions?
- Encrypt your devices in accordance with National Institute of Standards and Technology (“NIST”). The Department of Health and Human Services (“DHHS”) gives guidance for how you can do so.
- Undertake thorough, recurring training with your employees so that they know what’s expected of them, such as not keeping unattended records in their cars and not accessing or disclosing patient information without proper approval.
- If you’re a provider, consider an EHR if you haven’t already made the move.
- Whether you’re a provider or not, consider HIPAA-compliant cloud solutions for data storage.
And consider working with an expert to make sure that you’re exercising every possible caution with your PHI. Check out compliance resources like those provided on this site for help.
Don’t become part of the “Wall of Shame.” Take appropriate measures to protect patient data before a breach happens so that you can avoid the monetary and reputational fallout after a breach happens.