Many breaches of Protected Health Information are a serious matter. A breach is an impermissible use or disclosure of protected health information or PHI. Consequently, it compromises privacy or security of PHI. It is presumed to be a breach unless certain criteria are met. The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:
Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
Secondly, the unauthorized person to whom the disclosure was made.
Third, whether the PHI was acquired or viewed.
Finally, the extent to which the risk to the patient was mitigated.
There are many forms of Breaches of Protected Health Information. Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person. As a result, all entities that handle paper PHI must be aware of how important it is when sharing or disposing of this information. It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.
Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site. Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.
Consequently all of these have been the subject of Office for Civil Rights penalties.
Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.
It is important for all covered entities and business associates to review their policies. As A result they will be able to better protect PHI whether it is paper, electronic or spoken.
Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.
The Office of Civil Rights reports that healthcare data breaches increased continuously over the last few months of this year. For example, there were a total of 41 breaches in April affecting a greater number of people than previous months. The breaches affected a total of 894,874 records. Unfortunately, over the years since 2009, the number of breaches of over 500 records increased from 18 to 365. Meanwhile, 2018 was the worst in number of breaches but only the fourth in total numbers. Presently in 2020 there are many cases still under investigation.
Unauthorized Access a Cause of Breaches
The healthcare industry continues to be a big target for hackers as healthcare data breaches increase. In 2018 there was 161% more healthcare records involved. Unauthorized access/disclosure incidents was one of the biggest cause of breaches. The mean breach size of unauthorized access increased by 115% percent. Fortunately, loss, theft and improper disposal incidents appear to have all declined. Despite the bad news it is likely that cyber security defenses have been effective in preventing hackers from gaining access to data.
Phishing is a Risk
Most importantly, the data from 2018 highlights the importance of increasing email security in addition to training employees. One main cause of healthcare breaches in the month of April was due to phishing attacks. For instance, in April nine cases of successful phishing attack related breaches were reported. Other causes are unauthorized email access and misdirected emails. In conclusion, it will be important to improve technology to prevent the delivery of malicious emails to inboxes of healthcare workers.
Exposed PHI Remains a Problem
In short, it appears that 75% of breaches affected healthcare providers, 14% health plans and 11% business associates of covered entities. Most importantly, the breaches associated with business associates were the most severe and represented 42% of all exposed records.
It is in the best interest of covered entities and business associate to promote safeguards to protect PHI and train employees on this process.