Henry Ford Health System announced, in early October 2017, about the system hack and stolen record of 18,470 patients. On July 25–26, a virus blocked the documents (images, files and notes) of 128000 patients of Arkansas Oral Facial Surgery Center. In September, Augusta University Medical Center declared data theft during a breach. This type of attack was the second phishing effort against healthcare providers in just five months. The above three are the most notable data breaches that occurred in 2017.
The health and human service Office for Civil Rights (OCR) department has received 233 breach reports and many more. By July, HHS reports showed the affected 3.1 million electronic health records.
The total average expense of a successful hack is $3.62 million. The cost per breach is almost $380.
What makes up a breach of HIPAA?
Very few people breach HIPAA rules. Many violation instances happen simply by accident.
“Breach” is defined in Section 164.402 as the acquisition, access, use, or disclosure of protected health information in a manner not permitted… which compromises the security or privacy of the protected health information.
Exceptions to the HIPAA RULE
There are the following exceptions to the data breach. Let’s understand what constitutes a data breach and tips to avoid loss.
- Access or use of protected health information in good faith, unintentional acquisition, and keeping it within reach of authority.
- Disclosure by someone in good faith who is in charge of or authorized health information and has access or access at the same covered entity and business associates or someone who takes part.
Let’s understand this fact with the following examples
- A staff member accidentally views protected information while carrying his/her task.
- An individual who is in-charge of PHI (protected health information) discloses information to other staff members.
- A business associate or staff member verbally disclose protected health information in close proximity to a person in a coma.
Nature of HIPAA data breach
The healthcare breaches are uncommon and mostly unintentional. In 2017 companies encountered several cases. These breaches can happen through email containing protected information, or email sent to the wrong address or security lapses on an organization’s server.
Some common unintentional breach examples are as follows:
- Unintended disclosure of data
Sending emails to the wrong address or wrong attachment to an email recipient. So accidentally placing it in public.
- Malware and hacking
Malware can happen when too much information is stored on the server, and hacking can lead to a data breach.
- Malicious insider loss
Employees within or former employees or third parties can deliberately leak data in order to inflict harm.
- Physical loss
Devices and drives containing healthcare information can get damaged or lost, just like paper documents. Paper recycle bin can also lead to a data breach when documents or papers are not properly disposed of.
HIPAA data breach responsibility
So who is responsible for a data breach? Who to blame??
The HIPAA/HITECH omnibus final rule was designed to answer the above question in 2013. Before Omnibus, HIPAA covered entities were solely responsible for any breaches. Now business associates are also entitled to protecting protected health information.
The unsecured protected health information gives rise to a breach. The information which is unreadable, unusable or indecipherable is not unsecured. New rules are established on the use of information, marketing purpose and individual’s consent before selling their personal information. It gives intensive protection to customers by making them aware of the rights of an electronic copy of their medical records. It also instructs healthcare providers not to disclose information about their treatment.
Read: HIPAA Compliant Hosting For A Web Application: Questions to Ask
Tips to prevent HIPAA data breach
- Conduct a risk assessment
- Provide HIPAA education to employees
- Monitor records and devices
- Apply encryption at local levels
- Review your email protection
- Subnet wireless network
- Manage identity and access strictly
- Strict BYOD policy
- Check service-level documents carefully
- Hold business associates accountable for IT security policies.
- Establish a good legal counsel
HIPAA compliance cloud storage- why use?
HIPAA compliant cloud storage is an infrastructure that encrypts all at-rest data across the board and avoids the cost of data breach by meeting standards and providing third-party certification. In 2016 the settlements for the violation of healthcare privacy and security laws were high as per the HIPAA act of 1996. $22.9 million was submitted to the HIPAA enforcement agency and the Office for Civil Rights of the Federal Health and Human Service Department (HHS). In August, the largest settlement of $5.55 million was announced by HIPAA law. The six fines in 2016 cost $2.14 million.
HIPAA compliance is a multi-million-dollar proposition and is not just about fines. If we calculate in terms of reputational, legal, operational and other expenses, the average cost is $700 per healthcare data breach. If 5000 records are compromised, the expense to a company is about $3.5 billion.
We hope the above information proved helpful and tips would help you prevent a data breach; for a complete HIPAA compliance checklist, read here.
