HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Submits HIPAA PHI Breach Reports To Congress

In accordance with HITECH, the Health and Human Services Office for Civil Rights has submitted its annual reports to congress detailing the Breaches of Unsecured Protected Health Information it was notified of during 2011/2012. The report shows that 98% of victims of PHI data breaches involving over 500 individuals have come from 1% of recorded breaches. The large scale data breaches caused by these security lapses and targeted attacks are affecting millions of Americans. The total count of victims has now risen to 32 million and the total number of recorded HIPAA data breaches is about to reach the 100 mark.

The report highlighted the state of HIPAA compliance and clearly showed that healthcare organizations are failing to take the required actions to protect patient data and keep PHI private and confidential. Over the course of the past 12 months there have been record fines issued for security breaches and violations of HIPAA procedures and HHS Chief Regional Civil Rights Counsel Jerome Meites has predicted “a huge spike in the fines from violations” over the coming months. In his eyes, the high number of compliance failures already seen is nothing compared to what is to come.

While Meites was giving a personal view – and not the view of the HHS – the volume of investigations currently being conducted into HIPAA violations and data breaches is growing fast and it is reasonable to expect the number of financial penalties the HHS issues to increase accordingly.

The value of PHI makes healthcare organizations – and their business associates – targets for cybercriminals and holes in IT systems are being exploited with increasing frequency. The report states that theft was the cause of the biggest data breaches in 2011, while a year later in 2012 cybersecurity attacks and other IT issues caused the greatest exposure of patient data.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Reducing the Risk of PHI Loss

The HHS notified congress of the steps that individuals and healthcare organizations should take to improve cybersecurity and prevent breaches. These include:

Conducting Regular Risk Analyses and Implementing Risk Management Strategies

Organizations should conduct a thorough analysis of security vulnerabilities and risks and devise and action a management plan to address the issues raised. Procedures and policies should be reviewed and revised regularly as legislation changes.

Conducting a Security Evaluation

Hardware, software, website and procedural updates require a security evaluation to be performed to identify potential compliance issues and security risks. Evaluations should be performed periodically and also after procedural updates and the introduction of new software, hardware and any new technology.

The Control and Security of Portable Electronic Devices

Theft and loss of portable electronic devices accounts for a large proportion of security breaches. Appropriate security controls should be implemented to ensure the loss of a device does not involve loss of data. Data should be encrypted wherever possible and files and device access should be password-protected.

Secure Disposal of Records

All paper and data records containing PHI must be disposed of securely and procedures and policies must be implemented by healthcare organizations and their business associates to ensure PHI is destroyed in all of its forms.

Access Control

Staff and workstations must have security controls in place to ensure that PHI is kept secure and cannot be accessed by unauthorized individuals. Individual access should also be carefully considered and access restricted to essential information.

Staff Training

It is essential that the staff is made aware of the organization’s procedures and policies on the use and disclosure of PHI. Training should be continuous and the staff informed of new legislation and any changes to company data storage or transit procedures and policies.

Business Associate Agreements

Agreements with business associates must be revised and updated to include provisions for the use of PHI.

If healthcare organizations concentrate on each of these issues it will improve cybersecurity and reduce the probability of a data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.