Spate of Data Breaches Highlights Need for HIPAA Privacy Training

The past few weeks have highlighted the dangers of HIPAA violations from within, with employees and healthcare professionals responsible for causing a number of HIPAA data breaches.

Since April 27, the records of 132,432 individuals have been exposed due to breaches caused by human error, and potentially many more: HIPAA covered entities are not obliged to report breaches until 60 days after the incident is discovered.

A Spate of Employee HIPAA Breaches Reported in the past 5 weeks.

The last week in April saw a number of data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal. Consolidated Tribal Health Project reported that an employee had inappropriately accessed the PHI of 4,885 patients, while an email sent by a New York City Health and Hospitals Corporation (HHC) worker resulted in 3,334 patients’ records being compromised.

In the latter incident, the Bellevue hospital employee sent a spreadsheet containing PHI outside the hospital network to receive some technical help manipulating the spreadsheet. Clinical Reference Laboratory, Inc. also reported a breach involving the loss of 864 records, Walgreen Co. reported the loss of 1,138 and Ventura County Health Care Agency lost 1,339 paper records.

High Risk of Employees Taking Data to New Employers

A member of staff at the University of Rochester Medical Center breached HIPAA Rules this month after taking PHI to a new employer. So too an employee at the Jacobi Medical Center in April, who sent an email containing the PHI of patients to her own personal email account and that of her new employer. That single email caused a HIPAA breach involving 90,060 individuals. No actual harm is likely to be suffered by the patients, but if the Ponemon institute’s data breach cost calculations are correct, the incident could cost New York City Health & Hospitals Corporation $32,691,780, on top the $1,210,242 cost from its Bellevue hospital breach.

It wasn’t the largest data breach of the month in terms of records exposed – although it was still sizable – but the MML HIPAA breach was certainly had the biggest impact, having affected 40 hospitals and healthcare providers that used the company’s billing and coding services. 20,512 records were taken by an employee before leaving the company and were disclosed to a third party.

Human error was also the root cause of a HIPAA violation that has just appeared on the OCR breach portal. A storage facility used by the Thomas H. Boyd Memorial Hospital, Ill. was sold before boxes of files – containing the PHI of 8,300 individuals – were removed, technically making them the property of the new owner.

Human Error Responsible for Community Mercy Health Partners Breach

Last month, in Springfield Ohio, Community Mercy Health Partners suffered a data breach that resulted in the PHI of approximately 2,000 individuals being disclosed to other patients.

Furthermore, in six cases, patients received a billing communication which was intended for another healthcare provider. The privacy breach was the result of an error made during data entry that caused “an inadvertent change to name and address information on some patients’ bills,” according to Dave Lamb, a spokesperson for Community Mercy Health Partners.

The error resulted in the disclosure of a limited amount of information about patients, including names and addresses, billing codes (diagnosis/procedures), account balances, service dates and the locations were treatment was received. Social Security numbers, financial information and health data were not exposed in the incident.

Don’t Forget the Threat from Within

The current focus of health IT professionals may be improving cybersecurity defenses against hackers, but human errors is behind a high percentage of data breaches, and is the leading root cause according to a recent Baker Hostetler report.

Healthcare providers and other covered entities should take this spate of human error HIPAA breaches as a warning and make sure their own staff has received appropriate HIPAA training – and a recent refresher – on data security and privacy issues to re-inforce the need for extra care when accessing or using the Protected Health Information of patients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.