HIPAA Breaches: It's Your Fault, Not Theirs

Laptop computer We have written a lot about data breaches and HIPAA violations on this blog. Let’s see what the latest data tells us and what can we learn from it. Healthcare IT News recently wrote about 2012’s largest HIPAA breaches.

In essence, the top 10 breaches present us with two overwhelming lessons:

1. Seriously consider whether you and your practice should be using laptops to store patient data and whether or not they should be allowed to leave the office. Four of the top 10 HIPAA violations involved laptops being stolen and another case involved backup data disks being misplaced (so we’ll include it here). So, while these data breaches are technically conducted by outside crooks, physicians and employees need to take responsibility for unattended laptops (and disks) and their lack of proper encryption.

2. Make sure that your electronic medical data and electronic medical records have the appropriate levels of security –to not only guarantee that you don’t get hacked by outsiders, but to also protect you from your own employees or affiliated employees having access to data who should not have access. Four of the top 10 HIPAA data breaches involved employees or affiliated employees improperly accessing patient records and data.

So, nine of the top 10 data breaches of 2012 were the result of inappropriate precautions taken by an employee or physician. Surprising, huh? And, only one of the top 10 data breach cases involved an outsider hacking into a server from the outside –which is probably what most people think of when they think of a data breach. Thus, health care employees need to re-frame their idea of HIPAA breaches. They should assume that they will happen and that they may be responsible to some degree. As a result, employees should take the proper precautions now –so, even if your practice is a victim in the future, you won’t look like a willing victim.

In summary, every organization should:
1. Re-evaluate their laptop policy.
2. Re-evaluate the security and encryption on their laptops and other computer systems.
3. Ensure that only appropriate and necessary individuals have access to patient information.

This entry was posted in Risk Management on by .