HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
HIPAA Breaches Continue
to Rise: Avoid Becoming
a Casualty
HIPAA Breaches Continue to Rise:
Avoid Becoming a Casualty
By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN
Data Breaches
12 Months – 2014
6 Months – 2015
Hacking / IT Incident
Improper Disposal
Not Specified
2015 breach reports for HIPAA have already surpassed the 100 mark
with 110 reported June YTD. The average total cost of a data breach
is $3.8 million-an increase of 23% since 2013 according to IBM’s tenth
annual Cost of Data Breach Study. The study also reports that the cost
incurred for each lost or stolen record containing sensitive and confidential
information increased 6% to $154 average cost per record breached. Yet in
healthcare, the cost is more than double at $363/ record!
Source: http://www.hipaajournal.com/2015-healthcare-data-breaches-pass-100-incident-milestone-7052/
any healthcare organizations may
consider themselves unlikely to
incur a breach, yet this same study reports a
22% probability of a breach occurring over
24 months.
This white paper summarizes how to help
protect your practice or organization from
becoming a casualty of a HIPAA breach.
Conduct a Risk Assessment
Conduct a risk assessment in accordance with
the HIPAA Privacy and Security Rules that
govern the transmission of all electronic patient
information. The risk assessment will force you
to review security policies, identify threats and
uncover vulnerabilities.
Covered entities should be aware of differences
between the Privacy and Security Rule
requirements regarding protected health
information. One major distinction is that the
HIPAA Security Rule only applies to electronic
protected health information (e-PHI). A
covered entity is responsible for maintaining
confidentiality, integrity and availability of all
Under the HIPAA Security Rule, covered
entities are required to do a risk analysis to
document any risks or vulnerabilities to e-PHI.
Any risks or vulnerabilities identified should be
appropriately addressed and steps for mitigation
documented, including necessary changes to
policies and procedures. All documents should
be retained for a minimum of six years.
A plan should be developed based on the
results of the risk analysis, and should include
how your practice or healthcare organization
uses the administrative, physical and technical
safeguards to mitigate risks. This risk
analysis should be an ongoing process and to
achieve Meaningful Use, a review is required
periodically. This is not a “one-size fits all” so
the security measures are scalable to any size
practice or healthcare organization.
The Administrative, Physical and Technical
Safeguards are the focus of the OCR Audit
Program Protocol for the Security Rule.
Covered entities must comply with all of the
standards listed below and some of these
standards also have required implementation
specifications that must be followed:
Administrative Safeguards
• Security Management Process (Required
Implementation Specifications for Risk
Analysis, Risk Management, Sanction
Policy, Information System Activity
• Assigned Security Responsibility
(Required Implementation Specification
to Identify Security Official)
• Workforce Security
• Information Access Management
(Required Implementation Specifications
for Isolating Healthcare Clearinghouse
• Security Awareness and Training
• Security Incident Procedures (Required
Implementation Specification for
Response and Reporting)
• Contingency Plan (Required
Implementation Specifications for Data
Backup Plan and Disaster Recovery Plan
and Develop and Implementation of an
Emergent Mode Operation Plan)
• Evaluation (Required Implementation
Specification for Periodic Technical and
Non-technical Evaluation)
• Business Associate Contracts and Other
Arrangements (Required Implementation
Specifications for a Written Contract)
Physical Safeguards
• Facility Access Controls
• Workstation Use (Required
Implementation Specification for Function
and Physical Attributes)
• Workstation Security (Required
Implementation Specification for Physical
Safeguards and Access Restrictions)
• Device and Media Controls (Required
Implementation Specifications regarding
Methods for Final Disposal of e-PHI
and Procedures for Reuse of Electronic
Technical Safeguards
• Access Controls (Required
Implementation Specifications to Assign
All System Users a Unique Identifier
and to Establish Emergency Access
• Audit Controls (Required Implementation
Specification to Record and Examine
• Integrity Controls
• Transmission Controls
• Person or Entity Authentication
(Required Implementation Specification
for Authentication Procedures)
With the enactment of HITECH, the HIPAA
Enforcement Rule allows Civil Monetary
Penalties (CMP) for violations of the Privacy
and/or Security Rules. A covered entity could
be assessed a fine of up to $1.5M for identical
violations in one calendar year even if the
covered entity did not know about a violation.
If known, the correction must occur in 30
days from discovery or be subject to maximum
Continue HIPAA Education
Educate your employees so that they
understand that the security of patient
health information is an integral part of
their professional responsibility. Continually
educate employees on current HIPAA rules
and regulations, and review state regulations
involving the privacy of patient information.
When employees are frequently reminded of
the implications of data breaches, the risk of
violating them is significantly reduced.
Training and education on the practice or
organization’s HIPAA policies and procedures
should also be ongoing to ensure all employees
are aware of their responsibilities to keep
the patient information private and secure.
For instance, a covered entity must obtain
an individual’s written authorization for any
use or disclosure of PHI that is not related to
treatment, payment or healthcare operations
with a few otherwise permitted exceptions.
Reasonable efforts should be made by the
covered entity to disclose the minimum amount
of PHI necessary for the intended purpose,
and access to PHI should only be designated to
those employees with duties requiring access.
Understanding the Privacy Rule
Covered entities have several requirements
under the Privacy Rule. The purpose of the rule
is to protect and secure individually identifiable
patient information and the covered provider
has the ultimate responsibility for HIPAA
compliance. Compliance with the Privacy Rule
was required on April 14, 2003.
According to the OCR’s HIPAA Audit Program
Protocol for covered entities on Privacy Rule
requirements, the following processes, controls
and policies will be reviewed:
laptops, desktop computers and other portable
electronic devices.
It is important to frequently remind employees
to be watchful of any electronic devices or
records left unattended. While it is the job of
your IT staff to safeguard patient information,
employees also need to be mindful of their role
in keeping patient data safe by watching devices
and patient records.
• Notice of Privacy Practices for PHI
• Rights to request privacy protection for
• Access of individuals to PHI
Encrypt Data & Hardware
• Administrative requirements
• Uses and disclosures of PHI
• Amendment of PHI
• Accounting of disclosures
While theft and loss remains a key source of
data breaches, even more surprising is the
vulnerability of hacking into healthcare-related
devices. Frequently used devices in healthcare
that cannot be overlooked during a security
risk assessment as they have proven to be
vulnerable include:
A couple of important aspects of the rule
involve practical steps such as assigning a
privacy/security officer and staff training. Your
employees should be aware of who is serving
these important roles. The privacy and security
officer should develop, document and maintain
policies and procedures, and work with the IT
team and EHR vendors.
Office policies and procedures should be
reviewed and updated as needed to ensure that
every possible system is in place to secure and
protect all PHI, which under the Privacy Rule
applies to any PHI-oral, paper or electronic.
Most importantly, the staff must be continually
educated about any changes to existing Privacy
policies and procedures.
Monitor Devices and Records
The OCR reports 34 data breach incidents
affecting more than 500 people from January
through mid August 2015. About half are
related to theft, most commonly involving
• Virtual private network
• Firewalls
• Software
• Printer/Scanner/Fax
• Mail Servers
Many breach incidents involving theft or
loss could have been avoided with the use of
encryption technology to avoid data breaches.
While HIPAA doesn’t require the encryption
of data, it also does not consider the loss of
encrypted data a breach. Encrypting patient
information is one way to avoid potential
penalties, and also protect your other
vulnerabilities associated with hardware
(servers, networks, mobile and other medical
devices). Ensure networks with public access
do not expose private patient information.
Instead, create dedicated secure networks for
the transmission of patient information.
Scrutinize Service-Level Agreements
If you are considering retaining patient
information and data on the cloud, be certain
that the Service Level Agreement (SLA) you
have with your Cloud Service Provider clearly
states that you own the data and that it can
be accessed securely and timely. Also ensure
that the SLA complies with HIPAA and state
privacy laws.
Make Business Associates Accountable
Update and maintain business associate
agreements that reflect changes to federal
and state privacy regulations. Healthcare
organizations usually have many vendors
with access to patient data. In the event of a
breach, the healthcare practice or organization
is responsible. Hold your Business Associates
(BAs) accountable for putting safeguards in
place to protect PHI, providing security and
risk assessments and for reporting breaches
immediately to the covered entity.
Texting has become a routine means of
communication for most mobile phone users,
including healthcare providers. Approximately
three-quarters of clinicians use texting to
exchange work-related information with other
clinicians (see Frost and Sullivan 2011). The
convenience, ease and speed of text messaging
are all appealing.
Due to HIPAA Privacy and Security rules,
texting presents many compliance issues.
Standard text messaging is not secure and
should never be used to exchange patient
information. Secure text messaging can be done
within the HIPAA regulations but there are
several things to consider (Adam Greene
April 2012):
• Password protection and encryption.
Check with the vendor regarding the
security of the mobile device.
• Policy regarding what patient information,
if any, will be shared.
• Immediate deletion of all texts regarding
patient information to reduce possibility of
unauthorized third party exposure.
• Ability to remotely clear the mobile device
in case of theft.
• Usage of texting must be disclosed in
Notice of Privacy Practices.
• Documentation of texted information in
patient’s record if the shared information
affects the patient’s care. Patient must be
able to request amendment of their record,
according to Privacy Rule.
• Business associate agreement with mobile
device carrier if text information is stored
on server on a routine basis or sent via
• Immediate disclosure of a security breach
and corrective action within 30 days.
Understand Risks of Being Mobile and Social
The dynamic nature of technology creates more
ways to become susceptible to data breaches.
Texting, the use of mobile devices and social
media used commonly among health care
workers, increase this likelihood.
Is texting patient information a part of how
you communicate?
Quicker than a phone call, texting is often
utilized by healthcare workers to convey
work-related information. It is important
to ensure that you are texting in a HIPAA
compliant manner.
Are your mobile devices HIPAA compliant?
Significant civil and criminal penalties
including large fines, loss of licensure and even
imprisonment are associated with HIPAA
violations regarding the exchange of e-PHI.
To avoid these possible penalties, ensure your
mobile phone usage is in compliance with
HIPAA Privacy and Security Rules.
As the world of healthcare evolves, more and
more healthcare providers are utilizing mobile
devices when conducting business. In fact,
having a mobile device is almost a necessity
in this day and age of healthcare. Healthcare
workers who utilize mobile devices need to
ensure that they are not risking data breaches
and must protect private patient information.
If you are a covered entity, you are responsible
for complying with HIPAA regulations for
securing private patient information, including
when using mobile devices.
Here are several guidelines to ensure proper
security when using mobile devices:
• Before allowing the use of mobile devices,
decide whether they will be used to access,
retrieve, or store patient data or as part of
your organization’s internal EHR system.
• Think about the threats that mobile
devices pose to the confidentiality of
patient information your organization
• Identify a risk management strategy for
mobile devices. Evaluate and maintain the
safeguards your organization has in place
for mobile devices.
• Develop, document, and implement a
policy for your organization regarding
safeguarding private health information.
• Conduct ongoing privacy training for mobile
device users in the workplace.
Do you risk violating HIPAA on
social media?
As technology advances so has social media,
with more and more platforms arising for
people to communicate – anytime, anywhere
and with anyone. With an increase of social
media presence in our lives, comes an increase
in possibilities to breach patient confidentiality.
Healthcare workers may not even realize that
providing vague details about their day on a
social media platform can put them at risk for
disclosing personal patient information.
Facebook, Twitter, Instagram, Snapchat,
YouTube, blogs, web pages, Google+, LinkedIn
can all get healthcare providers in trouble
under HIPAA, state privacy laws, and state
medical laws. Data breaches in the healthcare
community have risen from physicians and
other healthcare professionals increased use of
social media. Most of these breaches could have
been avoided.
Any disclosure of a patient’s protected health
information (PHI) through social media can be
a problem. Here are some tips to avoid violating
HIPAA with social media:
• Do not talk about patients online, even
in general terms. Simply avoiding using a
patient’s name is not enough. Identifiable
factors, such as patient age and medical
condition should also be avoided. Talking
about disease conditions, treatment
options, and research is okay. Talking
about specific patients with these disease
conditions is not okay.
• Do not blog anonymously. Being
anonymous gives people a false sense of
power, making them feel they can say
whatever they want without consequence.
• If you would not say it in a crowded
elevator, do not post it online.
• Have a friend check your posts before you
share them. What might be funny to you
may not come off as funny to others. A
fresh set of eyes can help assess whether or
not you are heading down a slippery slope.
• Keep your personal and professional lives
separate. Do not friend request patients
from your personal accounts. Have
your posts set so that only friends can
view them. Check your privacy settings
monthly, as they can change.
As technology and legislation increase and
evolve, your policies and procedures need to be
updated to stay current. Plan to review them at
least once every six months, and be sure your
social media policy includes a section on PHI.
Avoid “The Wall of Shame”
Healthcare entities have enhanced visibility
of privacy and security breaches. As part of
HITECH, any breach of over 500 individuals
will be posted on “The Wall of Shame” on
the HHS website. To avoid joining this list,
continually monitor your practice or healthcare
organization for vulnerabilities and threats and
mitigate any potential risks to PHI to prevent
avoidable breaches.
This whitepaper summarizes ways to help
protect your healthcare practice or organization
against data breaches. Having policies and
guidelines in place and communicated for
employees to follow is important for them to
know what they can and cannot do. Having
a full compliance program in place can help
ensure you are HIPAA compliant and protect
your entity against data breaches.
From policies and procedures to employee
training and risk assessments, First Healthcare
Compliance offers a comprehensive compliance
management program solution to ensure your
entity is HIPAA compliant and maintains
compliance not just in HIPAA but in all areas
mandated by the Affordable Care Act (ACA).
Our Solution:
Confidently manage compliance with the First Healthcare Compliance comprehensive compliance
management solution which provides you the visibility, oversight, controls and tools to manage
your organization’s compliance program from the topdown and from the bottom-up. Mitigate your
risk and drive compliance with our customized, scalable cloud-based solution coupled with live
support from our team of experts in healthcare compliance.
First Healthcare Compliance
3903 Centerville Road
Wilmington, DE 19807
© 2016 First Healthcare Compliance LLC. All rights reserved.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF