The basics
Section 13402(e)(4) of the HITECH Act requires that all healthcare breaches impacting 500 or more individuals must be posted by the Secretary. We visited the US Department of Health and Human Services Office for Civil Rights’ Breach Portal and gathered data from the August 2018 – November 2018 reports* to give you a quick glimpse into the world of PHI data breaches and HIPAA violations. We’ve also put together a list of what you can do to prevent these breaches and how we can help.
The causes:
Not all breaches are the result of a malicious hacker, sometimes it’s just a simple mistake such as sending a file to the wrong person.
The containment:
The faster a data breach can be identified and contained, the lower the damages and costs. According to the Ponemon Institute’s Cost of a Data Breach Study, the mean time to identify a breach across all industries was 197 days, and the mean time to contain was 69 days. Healthcare companies had the longest number of days to contain at 103.
The records:
These breaches are putting millions of patients’ information at risk; and when you consider that the average cost per record is $148, the numbers are even more astounding.
The breakdown:
Of the 123 reported breaches, across 35 different states and Washington DC, the largest proportion of breaches were in two states. California accounted for 7.3% of the breaches while Texas accounted for 15.4%.
The fines:
HIPAA violation fines vary between $100 per violation/record to up to $50k per violation/record. The fine is determined by the perceived level of negligence for each violation. There is a maximum penalty of $1.5M/year for each violation. Criminal charges, although rare, have also occurred.
What you can do
Realize that you don’t know what you don’t know
Train, train, then train some more. You’ve all heard us say that employees are a company’s greatest weapon, but how can you defend your practice if you don’t know what the enemy looks like? For our solution to this conundrum, scroll down or click here.
Zip those lips
Sharing isn’t always caring. Sharing sensitive patient information with unauthorized coworkers or friends is a definite no-no. So is sharing your passwords.
Avoid wandering eyes
It may be tempting to snoop at a friend or celebrity’s medical record, but if it’s not necessary for you to know what’s going on for you to do your job, you don’t need to look at it.
Lock it up
This goes for physical records and electronic ones. If you’re leaving your desk, secure physical records in a locked drawer or designated area, and lock your computer. As a reminder, you can quickly lock your computer using keyboard shortcuts (Windows Key + L or CTRL + ALT + DEL + ENTER).
Shred it
If you have documents containing PHI (what is PHI?), don’t just chuck it in the trash. The shredder is your friend.
Use role-based security
Even for industries that are less regulated, it’s always best practice to use role-based security and the principle of least privilege. You can secure your patients’ information by ensuring that each user has limited access rights – just enough to do their job. Julie from accounts receivable doesn’t need the ability to view lab results.
Build up your defenses
HIPAA compliance is overwhelming, but don’t let that make you forget the basics. Top of the line firewalls and AV software will help safeguard your patient data from malicious attacks. Not sure where to start? We’ve got a solution for that. PS – our basic network assessment is free!
Most IT companies know nothing about HIPAA compliance:
We do. By partnering with HIPAA experts, ADKtechs provides peace of mind for even the most compliance-driven industries. Here’s what we offer:
*Reports are dynamic. The information in this blog is accurate as of the date it was written.