This article looks at major HIPAA breaches last year and how your organization can avoid serving as an example of â€œwhat not to doâ€ by the federal government. Note that some of these organizations were not directly responsible, as was true of a hospital in Fort Worth, Texas, that trusted the wrong shredding service with its files.
The topics we will cover include:
- What is the Wall of Shame?
- Most prominent 2013 cases
- Analysis â€“ Health records in a public park??
- Tips to avoid the Wall
- New business associate stipulations.
What is the Wall of Shame?
Everyone in healthcare wants to avoid the HHS Office of Civil Rightsâ€™ Wall of Shame, where cases of noncompliance involving 500+ people are posted. However, some organizations reported by patients or audited by Health & Human Services are granted that ignoble designation.
The OCR has kept a running list of these high-volume HIPAA offenses for the past five years (although the list is somewhat absurd because itâ€™s chronologically backward, so the featured companies on the Wall of Shame are the first organizations that violated the law in 2009).
Most prominent 2013 cases
Stephanie D. Willis and Kimberly Gold of Health Law & Policy Matters reported on the most significant breaches of 2013 early in the year. They also provided tips to stay compliant yourself.
Last year, more than 150 breaches of 500+ patientsâ€™ records were published on the OCR website. All told, the Wall of Shame indicates that healthcare firms were responsible for the exposure of 6.8 million Americansâ€™ protected health information (PHI).
Largest 2013 HIPAA breaches
Although there were 160 large-scale breaches, the most devastating ones were concentrated at the top. Seven out of every eight exposed patient records (88%) were the result of the five largest breaches:
- Advocate Health and Hospitals Corporation â€“ 4.0 million
- Horizon Blue Cross Blue Shield of New Jersey â€“ 840,000
- AMHC Healthcare Inc. â€“ 729,000
- Texas Health Harris Methodist Hospital Fort Worth â€“ 277,000
- Indiana Family & Social Services Administration â€“ 188,000.
Analysis â€“ Health records in a public park??
Healthcare regulations protect the privacy and security of patients, but their mandates represent sources of stress and frustration for providers. Essentially, HIPAA seems to be a public means to control the private sector. However, the last item on that list suggests that the federal government is at least making an effort to adequately maintain public sector security under HIPAA.
Three of the above cases had to do with a lack of encryption. Devices or computer files were stolen that contained unencrypted medical records.
The other two cases were the fault of business associates (more on their responsibility below). One accidentally sent PHI to the incorrect recipient through a coding mistake.
The other did not properly dispose of microfiches of patient records, and this incident was bizarre because it involved a public park. Texas Health Harris Methodist Hospital Fort Worth announced earlier this year that microfiche that it had transferred to Shred-it for destruction was found in a local park by an uninvolved party on May 11. Microfiche was found in â€œtwo other public areasâ€ as well, per a report published in HealthITSecurity.com. Although Shred-it was responsible in this case, they did not handle the microfiche as defined within their agreement with Texas Health Fort Worth. Although the health records were for patient appointments from 1980 to 1990, the hospital still made the Wall of Shame.
Tips to avoid the Wall
Three significant lessons learned from the top five HIPAA breaches of last year include the following, according to Willis and Gold (basically rectifying all the mistakes made):
- Always encrypt (as with our self-encrypting storage) â€“ Note that in one case, the healthcare company had encrypted all the laptops, but not its desktops and the latter were breached. The problem is with unencrypted data: theft of encrypted data is not considered a violation.
- Know the location of records â€“ If PHI goes to the wrong place (as with the coding error incident above), you can conduct a risk assessment per 45 CFR 164.402(2) if you know the party to which the data was incorrectly sent.
- Require evidence from those who destroy â€“ You want a documented policy of disposal procedures for hard-copy patient records. Get verification from the organization to reduce your liability if they donâ€™t hold up their end of the bargain.
New business associate stipulations
You may be aware that the HIPAA Final Omnibus Rule that went into effect last fall changed the playing field for covered entities and business associates. Business associates now have both contractual obligations to their covered entities and legal obligations to the federal government. In other words, your protection as a covered entity is enhanced by the government placing more pressure on business associates.