This article looks at major HIPAA breaches last year and how your organization can avoid serving as an example of “what not to do” by the federal government. Note that some of these organizations were not directly responsible, as was true of a hospital in Fort Worth, Texas, that trusted the wrong shredding service with its files.
The topics we will cover include:
- What is the Wall of Shame?
- Most prominent 2013 cases
- Analysis – Health records in a public park??
- Tips to avoid the Wall
- New business associate stipulations.
What is the Wall of Shame?
Everyone in healthcare wants to avoid the HHS Office of Civil Rights’ Wall of Shame, where cases of noncompliance involving 500+ people are posted. However, some organizations that are reported by patients or audited by Health & Human Services are granted that ignoble designation.
The OCR has kept a running list of these high-volume HIPAA offenses for the past five years (although the list is somewhat absurd because it’s chronologically backwards, so the featured companies on the Wall of Shame are the first organizations that were in violation of the law in 2009).
Most prominent 2013 cases
Stephanie D. Willis and Kimberly Gold of Health Law & Policy Matters reported on the biggest breaches of 2013 early in the year. They also provided tips to stay compliant yourself.
Last year, more than 150 breaches of 500+ patients’ records were published on the OCR website. All told, the Wall of Shame indicates that healthcare firms were responsible for the exposure of 6.8 million Americans’ protected health information (PHI).
Largest 2013 HIPAA breaches
Although there were a total of 160 large-scale breaches, the most devastating ones were concentrated at the top. In fact, seven out of every eight exposed patient records (88%) were the result of the five largest breaches:
- Advocate Health and Hospitals Corporation – 4.0 million
- Horizon Blue Cross Blue Shield of New Jersey – 840,000
- AMHC Healthcare Inc. – 729,000
- Texas Health Harris Methodist Hospital Fort Worth – 277,000
- Indiana Family & Social Services Administration – 188,000.
Analysis – Health records in a public park??
Healthcare regulations protect the privacy and security of patients, but their mandates represent sources of stress and frustration for providers. Essentially, HIPAA seems to be a public means to control the private sector. However, the last item on that list suggests that the federal government is at least making an effort to adequately control public sector security under HIPAA as well.
Three of the above cases had to do with lack of encryption. Devices or computer files were stolen that contained unencrypted medical records.
The other two cases were the fault of business associates (more on their responsibility below). One accidentally sent PHI to the incorrect recipient through a coding mistake.
The other did not properly dispose of microfiches of patient records, and this incident was kind of bizarre because it involved a public park. Texas Health Harris Methodist Hospital Fort Worth announced earlier this year that microfiche that it had transferred to Shred-it for destruction was found in a local park by an uninvolved party on May 11. Microfiche was found in “two other public areas” as well, per a report published in HealthITSecurity.com. Note that although Shred-it was responsible in this case because they did not handle the microfiche as defined within their agreement with Texas Health Fort Worth, and although the health records were ones for patient appointments that occurred from 1980 to 1990, the hospital still made the Wall of Shame.
Tips to avoid the Wall
Three major lessons learned from the top five HIPAA breaches of last year include the following, according to Willis and Gold (basically rectifying all the mistakes made):
- Always encrypt (as with our self-encrypting storage) – Note that in one case, the healthcare company had encrypted all the laptops but not its desktops, and the latter were breached. The problem is with unencrypted data: theft of encrypted data is not considered a violation.
- Know the location of records – If PHI goes to the wrong place (as with the coding error incident above), you can conduct a risk assessment per 45 C.F.R. 164.402(2) if you know the party to which the data was incorrectly sent.
- Require evidence from those who destroy – You want a documented policy of disposal procedures for hard-copy patient records. Get verification from the organization to reduce your liability if they don’t hold up their end of the bargain.
New business associate stipulations
You may be aware that the HIPAA Final Omnibus Rule that went into effect last fall change the playing field for covered entities and business associates. Business associates now have both contractual obligations to their covered entities and legal obligations to the federal government. In other words, your protection as a covered entity is enhanced by the government placing more pressure on business associates.
Learn more today about HIPAA Compliant Hosting and Cloud Hosting with Atlantic.Net!