news-247544_640HIPAA Data Breach: Protect your data storage devices and backups, and train your staff

In compliance with the HIPAA Data Breach Notification Rule, more than 570 HIPAAdata breaches of over 500 records have been reported since 2010, with over 21 million patient records lost. This information is posted on a federal website known informally as the HIPAA ‘Wall of Shame.’

All HIPAA data breaches are reportable. If you lose more than 500 records you have up to 60 days to notify the affected patients and report the loss to the US Department of Health Office for Civil Rights (OCR.) Smaller HIPAA data breaches require patient notification and must be reported to OCR on an annual report. California has evenstricter requirements.

Checking out the Wall of Shame confirms that many breaches are caused by the loss of laptop computers, desktop computers, and servers. Breaches have occurred with the loss of other data storage devices, backup tapes and drives, and improper use of e‑mail.  Cell phones and tablets are listed as ‘other portable devices.’ Over 20% of the reported breaches have been caused by Business Associates.

Some of the HIPAA data breaches are criminal – selling patient information to personal injury attorneys—and some are simple human error—like setting an automatic envelope stuffer to insert four pages in each envelope instead of one page, providing each recipient with an unexpected surprise of three other medical records including names and Social Security numbers.

There is a lot to learn from this website and the breach notification rule. Do your employees know the civil and criminal penalties for breaching patient information? Health care institutions have implemented checklists and double- or triple-checks to ensure that the correct procedures are taking place. Have you implemented checklists and double-checks in your office to ensure that HIPAA data breaches are being prevented?

Encrypt Patient Data Everywhere, at rest and in transit

None of the breaches of electronic data would have been reportable if it the data had been encrypted (a ‘Get Out of Jail Free Card’ in the data breach reporting rule.) Some large breaches were caused when file servers were stolen, so don’t just think that laptops and other portable devices are targets.  Remember that Electronic Protected Health Information (ePHI) includes any data file that contains a patient identifier plus any diagnosis or treatment information. These files can be in any form – written, images, or voice files. Get pricing on encrypting all of the devices that store ePHI and compare the cost to the $ 1.5 million fine last year for a single stolen unencrypted laptop, and the $ 1.7 million fine for a single stolen unencrypted hard drive.

Where is your data?

Think of your workflows. What medical devices send data to PC’s, servers, or connect to billing systems? How are your data backups transported off-site? Are doctors creating voice files on digital recorders to send to transcriptionists? Images can be anything including photos; X-rays, MRI’s, CAT scans, ultrasounds, scanned images, etc.  Are voice messages and faxes being converted to e-mails? Are staff members e-mailing patient info to your remote offices or to other practices for referrals?  Analyze these practices immediately so you know for sure that the data is secure. Bring in technology or compliance specialists if you need their expertise.

Technical Safeguards

The first way to prevent a HIPAA data breach is to avoid storing any ePHI on portable devices. If you can’t help it, such as on portable recording devices, pay extra to get secure recorders with fingerprint readers to make sure no one can get access to patient info if the device is lost or stolen.   Lock cell phones and tablets, and set them up for a remote wipe if they are lost or stolen. Disable all automatic logins and enable automatic screen locks after a few minutes of inactivity. While your users may think these controls are annoying and slow them down, you can avoid very expensive and embarrassing HIPAA data breaches.

Is your office or your answering service sending patient information to doctors by text message? Stop this now because text messaging through cell carriers is not secure and is easily hacked (just ask Rupert Murdoch, whose news gathering empire retrieved celebrities’ text messages they thought had been erased or were private.

Train Your Staff

Train your workforce in the behaviors you expect. Make sure they can recognize PHI and ePHI. Make sure they understand what systems are available for properly storing and transmitting patient data. Make sure they look at storage devices as large HIPAA data breach risks, and handle them accordingly. Make sure they aren’t copying patient data to unsecure thumb drives, sending patient info by unsecure Internet e-mail services, or discarding old equipment like computers and copiers that may contain electronic patient data. Make sure they know to report any loss or improper disposal of patient data, no matter how small. Make sure they understand the civil and criminal penalties for HIPAA data breaches, and how they might affect their careers.

Business Associates

Don’t forget your Business Associates. Have you verified that every qualifying outside organization that has access to your PHI and ePHI has signed a Business Associate Agreement? Do your Business Associates know they must comply with the HIPAA Omnibus Final Rule by September?

Fame or ‘Wall of Shame’ Notoriety?

While your organization might spend a lot of money to market its name to be famous in your community, I am sure they don’t want the notoriety and the costs that come with being listed on the HIPAA data breach Wall of Shame. With some effort you can prevent it.

"originally written for 4MedApproved"