All HIPAA breaches are investigated by the US Department of Health and Human Services – Office for Civil Rights (OCR). The OCR maintains a web site that lists breaches under investigation as well as those that have been resolved. Reviewing this site can provide us with insight into what has gone wrong for other medical providers. It can help us to understand the steps we can take to avoid similar breaches in our practices. A review of the breaches between November 1 and November 23 reveals the following interesting information:
Who Experienced the Breach?
- 2 Breaches occurred at Business Associates
- 5 Breaches occurred at Health Plans
- 19 Breaches occurred at Health Care Providers
How did the breaches happen?
- 12 Breaches due to Hacking Incidents
- 12 Breaches Due to Unauthorized Access to Medical Records
- 1 Breach due to Improper Disposal of Medical Records
- 1 Breach due to loss of Medical Records
- 1 Breach involved a network server
What systems were involved in the breaches?
- 8 Breaches involved paper records or plain films
- 7 Breaches involved Email
- 1 Breach involved A Desktop Computer
- 1 Breach involved the Electronic Medical Record
Breaches during this time ranged in size from 1,428 to 176,857 patient records
Utilizing a cloud based Electronic Health Records System can lull practices into a false sense of security when it comes to HIPAA. May providers have voiced the opinion “My EHR provider is HIPAA compliant and takes care of all my HIPAA Security”. Looking at the type and nature of the breaches in November, it does appear that cloud based EHR vendors are doing an exceptionally good job of protecting the information you are storing on their systems. But you are still at risk of a HIPAA breach or HIPAA incident.
This is important because it underscores that HIPAA compliance involves much more than our Electronic Medical Records. When we think about HIPAA, we need to consider all aspects of our practice. Most breaches in November did NOT involve Electronic Health Records. We see breaches due to Paper Records, Plain Films, Email Issues, and improper disposal of Medical Records. The protections built into our EHR systems do not extend into the other aspects of our practice that pose a risk of a patient privacy breach.
A vast majority of HIPAA breach investigations conclude that failure to do a proper HIPAA Security Risk Analysis or failure to update the Security Risk Analysis was one of the root causes of the Breach. A healthcare provider is required by law to have an up to date HIPAA Security Risk Analysis. Failure to complete the risk analysis can be considered “Willful Neglect”. Should a provider be found to be in willful neglect of the HIPAA regulations the federal government is REQUIRED by law to levy fines against the organization responsible for the breach.
However, when a provider has completed an up to date HIPAA Security Risk Analysis, they have a way to avoid fines associated with the breach. Should a medical provider experience a breach, and have an up to date HIPAA Security Risk Analysis, should they be able to remediate the breach within 30 days of discovery; in this case the federal government is PROHIBITED by law from fining the provider.
A well done and up to date HIPAA Security Risk Analysis will help you to implement measures that will minimize the chance of a breach, and therefore prevent some breaches from happening. This same process will also be vital in helping you to avoid fines should your practice or organization experience a breach.
Your HIPAA Security Risk Analysis includes an action plan. This action plan is your Risk Mitigation Plan. These are the measures you need to put into place to minimize the possibility of a breach. Just producing the document is not enough, you MUST follow through on your Risk Mitigation Plan.
The HIPAA Security Risk Analysis is one of the requirements of the MIPS Program. With the end of the year only one month away now is a good time to review your Risk Analysis and your Risk Mitigation Plan.
If you have not updated your Risk Analysis recently or have never completed a Risk Analysis with Risk Mitigation plan, TLD Systems can assist you to complete this vital task before the end of 2020.
TLD Systems encourages you to take all steps necessary to avoid a breach and avoid being features on the OIG list of breaches under investigation which can be found at: