HIPAA exists to regulate protected health information (PHI) and protect patient privacy. While these regulations are essential for the secure transmission of electronic health records (EHR), they can certainly burden covered entities and their business associates.
As challenging as it can be to maintain complete compliance, violations are far more burdensome. Between the steep penalties outlined in the HITECH Act and the impact on your organization’s reputation, HIPAA violations can be devastating.
We want your team to succeed, so we’ve assembled a list of real-life HIPAA breaches for your staff to review.
What is HIPAA?
HIPAA is a set of laws HHS designed to protect medical information and patient privacy. This legislation is split up into several different sections, which consist of the additional rules the government has passed since signing HIPAA into law.
HHS designed HIPAA to be a “one size fits all” solution, so there’s vague language and flexibility written into the rules. For example, some security and privacy measures require “reasonable safeguards,” which can wildly vary.
This isn’t a weakness of the legislation, but It can complicate adherence and leave healthcare providers wondering if they’re compliant. However, many factors impact the security needs and capabilities of healthcare organizations. By using this loose language, HHS ensures that healthcare providers won’t feel compliance is unreasonable.
Let’s briefly cover the various rules of HIPAA. If you would like to brush up on your HIPAA compliance, check out the links for in-depth posts.
Privacy Rule – This rule was the first additional rule to HIPAA, and it prioritized protecting patient information. For example, the Privacy Rule enhanced patients’ rights and improved the requirements for accessing patient records.
Security Rule – The Security Rule defines the administrative, technical, and physical requirements of HIPAA to reduce the chances of medical record breaches.
Breach Notification Rule – The primary goal of this rule is to ensure that covered entities and their business associates take responsibility for HIPAA breaches. In addition to updating the penalty structure for violations, this rule requires these individuals to report all breaches of PHI. These requirements are based on the severity of and response to the breach.
Breaches Caused by Lost or Stolen Devices
With the proliferation of electronic health record systems since the HITECH Act, hackers have had increasing success targeting PHI. Unfortunately, this isn’t the only type of theft healthcare professionals need to worry about.
Even though most modern medical records are digital, physical theft is still a threat for HIPAA-covered entities and business associates. From laptops to cell phones, from flash drives to printed copies, there are many ways for these criminals to access sensitive information.
It’s the responsibility of you and your team to take every precaution necessary to prevent patient information from being stolen. Let’s take a look at some real-life events where healthcare workers failed to thwart the thieves.
Real-Life Example of Breaches Caused by Lost or Stolen Devices
On November 2, 2017, a thief stole a laptop owned by an employee of Coplin Health System in West Virginia. This laptop contained the unencrypted personal information of 43,000 patients. Fortunately, Coplin Health System CEO Derek Snyder expressed that the chances of the thief breaching PHI were low.
While it’s always unfortunate when thieves take things that don’t belong to them, Coplin Health System was relatively lucky. The thief was seemingly unable to bypass the laptop’s built-in security measures, which protected the unencrypted records inside.
This isn’t the only major HIPAA breach caused by stolen files, and it’s far from the worst.
In September 2011, a Tricare employee transporting tapes with patient information was the victim of a car thief. (These tapes are magnetic data storage devices that some believe still hold value in today’s digital age).
The worker was tasked with swiftly transporting these tapes between San Antonio federal facilities. However, this individual left their car parked for almost 9 hours, which was plenty of time for someone to break in.
In addition to the PHI stored on the tapes, the thief got away with a stereo system and a GPS device. With the value of these devices, we can assume that the thief was trying to make money. Unfortunately, medical information can sell for a high price on the black market.
This thief ran off with the personal and medical information of 4.9 million Tricare beneficiaries. This included social security numbers, patient addresses, health details, and more. Ironically, the records were on their way to the other facility for digitization, which may have ultimately protected them.
These are 2 of many similar stories, and they should be considered cautionary tales for all current healthcare professionals.
How to Avoid Breaches Caused by Lost or Stolen Devices
It’s no secret that the legal and financial ramifications of HIPAA violations can be massive. For the sake of your patients and your organization, it’s essential to be mindful when handling devices with PHI. Let’s cover some quick tips to help your organization avoid similar breaches.
First and foremost, maximizing security is key. Securing devices that store protected health information is a required aspect of the Security Rule Physical Safeguards.
With the proper skills, a hacker can break into a computer and take what they want. With this in mind, it’s essential that your organization encrypts all PHI kept on a device. (Encryption basically converts files to illegible code that can only be converted back with the correct decryption code).
Even with these safeguards, however, you and your team should never leave devices with PHI unprotected. An individual who is transporting PHI on a device should avoid stopping unless absolutely necessary.
If a stop is necessary, the individual should keep the device on their person if possible. If this isn’t possible, they should avoid letting their car leave their sight because they should always aim to minimize the risk of EHR breach.
Breaches Caused by Insufficient Employee Training
Training staff is expensive, time-consuming, and stressful, and training staff for HIPAA compliance is doubly so. The penalties that may follow a breach caused by insufficient training can easily exceed these costs.
By looking at some true examples of breaches caused by insufficient training, you may find new ways to help train your team and improve compliance. Keep in mind that these are just a few of the many violations caused by poor employee training.
Real-Life Example of Breaches Caused by Insufficient Employee Training
The Kaiser Hospital faced a fine of $250,000 after their staff’s snooping breached medical records in 2009. Some of the records breached belonged to celebrities, but not all. Even if the name on the file belongs to somebody famous, the protected health information inside is equally regulated.
Affinity Health and HHS settled at over $1.2 million in penalties after the organization’s failure to properly destroy PHI. Not everybody is aware, but fax machines and copiers store the data they process. By not clearing the hard drives of leased copiers upon return, they inadvertently breached the information of 344,579 patients.
Digital records aren’t the only ones that need to be properly destroyed, as covered entities and business associates must appropriately dispose of paper records. In 2012, Walgreens was fined a combined total of over $16.5 million in penalties after dumping medical records and toxic waste into dumpsters.
HIPAA requires covered entities to release requested records in quickly, and failure to comply can be financially devastating. In 2009, two hospitals owned by Cignet Health declined 41 patients’ medical records for a combined penalty of $4.3 million.
Mishandling records isn’t the only way for your team to unintentionally breach HIPAA. In 2019, the OCR fined Elite Dental Associates of Dallas $10,000 for posting patient information on a review site. The employee posted identifying information and treatment details about the patient in response to the patient’s poor review.
How to Avoid Breaches Caused by Insufficient Employee Training
Your organization’s HIPAA training should not only cover the essential information, but it should aim to change your team’s behavior. In order to make them understand why they need to protect patient information, they must understand the stakes.
Regardless of training, however, there are always people who make poor, thoughtless decisions. When dealing with HIPAA compliance, thoughtlessness can easily cause major financial penalties and impact your organization’s reputation for years.
It’s important for your organization to adequately train your team to appropriately handle the exchange of protected health information.
Breaches Caused by Poor Internet Safety
Scammers, phishers, hackers, and all other sorts of cybercriminals target healthcare organizations for the wealth of identifiable information potentially available. As such, there are many ways poor internet safety can cause breaches of protected health information.
Cybercriminals are constantly adapting to upgraded security measures and seeking weak threat vectors to target. By looking at examples of poor internet safety causing PHI breaches, your team can understand what risks to avoid.
Real-Life Example of Breaches Caused by Poor Internet Safety
In October 2017, the Henry Ford Health System leaked the protected health information of 18,470 patients. This breach occurred when cyber criminals gained access to employee email accounts.
Henry Ford Health System failed to determine whether the PHI had been illicitly accessed, used, or disclosed. They did, however, determine that the information at risk included major patient information, including social security numbers.
It is unclear how the unauthorized individual managed to access the employee’s email address, but there are several possibilities.
The employee could have accidentally downloaded a keylogger that reported every single key typed. Perhaps the employee was using a weak password that they use for multiple accounts. It’s even possible that a cybercriminal tricked the employee into providing their password.
Sketchy emails and websites aren’t the only avenues of PHI risk your team needs vigilance to avoid.
In December 2018, UW Medicine had a misconfigured EHR database that made PHI available to anybody who looked for it. For over three weeks, the organization was unaware that a simple Google search would return medical records.
This error was discovered when a patient searched their own name and found their medical records with identifiable information. As it turned out, this breach affected nearly 1 million patients.
How to Avoid Breaches Caused by Poor Internet Safety
Navigating the internet can be complicated, and inexperienced individuals may not understand the warning signs. While some methods of attack may seem easy to avoid, there’s a reason cybercriminals use them. They still work.
To help healthcare workers understand how to be safe online, HHS released these cybersecurity tips. This document contains strong suggestions to help protect your organization’s attack vectors.
You can prepare your team to safely explore the internet on your organization’s servers by enforcing rules based on these guidelines. At the bare minimum, your staff should:
- Protect their accounts. This includes using strong passwords with a mix of numbers, letters, and symbols. Regular password changes can further reduce the risk of account breaches.
- Protect their devices. With physical access to a device, skilled hackers can easily create back doors to allow them access anytime. Any device that contains patient PHI should always be inaccessible to unauthorized individuals.
- Stay vigilant and stay current. By keeping up-to-date with current attack methods, your team will be aware of the red flags. Furthermore, they will know when to reach out to an IT professional.
Knowledge is power, and empowering your team with the tools to protect your organization is essential for lasting compliance.
ChartRequest Prevents Avoidable Breaches
Human error is the most common cause of PHI breaches because there are so many ways to trick people. It takes a military-grade supercomputer to have even a minuscule chance of breaching encryption, so humans have no chance.
Cybercriminals can’t breach HIPAA-compliant security measures, so their best target is your team. There are two key ways to ensure compliance.
The first is to train your employees to avoid common pitfalls. The second is to minimize the number of threat vectors for cybercriminals to target.
By using ChartRequest to handle the release of information, you provide your team with a safer EHR exchange solution. We automate and streamline as much of the ROI process as possible to reduce the chance of EHR breaches.
Don’t depend on outdated technology like fax machines, join the future of EHR exchange today! Explore our plans and see which option is right for you.