As regular readers of the qliqSOFT blog are now aware, the HIPAA Omnibus changes have been in effect for just over two weeks. In the wake of the September 23 compliance deadline, HIPAA compliance should be on the minds of most covered entities even more than usual, and rightfully so – HIPAA data breaches not only sacrifice the trust you’ve established with your patients, but also they’re extraordinarily expensive.
Understanding where the risk of breaches is the greatest is the most important step in risk analysis. To that end, Software Advice recently conducted an analysis of breach data. Software Advice, a company that reviews and writes buyer’s guides for web-based medical software, regularly talks to and hears concerns from medical practices. One of those concerns is security: can web-based systems really keep data safe?It’s a valid concern. Entrusting your PHI to “the cloud” or the Internet for safekeeping can feel risky, since you’re storing data “out there” instead of on your own servers. But the analysis Software Advice conducted suggests that the internet is not the biggest threat to PHI. Rather, it’s the people who use the technology themselves.
Of all the reported breaches that impact 500 or more individuals, Software Advice found that only eight percent involved hacking. The vast majority of these breaches involved the theft, loss, orunauthorized disclosure of PHI. And the breached data was most commonly found on paper or unencrypted digital devices.What does this mean? First of all, theft is the biggest risk. Although you can never eliminate the risk of theft completely, there are practical measures you can take to mitigate the risk. For starters, avoid keeping documents or devices containing PHI in unsecured locations. That may sound like a no-brainer, but stolen sensitive documentation from the back of a parked car led to two of the five biggest breaches in history, affecting 4.9 and 1.7 million individuals respectively.
A further step would be to avoid paper altogether. Not using paper means there’s no physical document to steal. Then, of course, you’d need to encrypt the digital devices you used instead. A laptop can be stolen just like a paper file. The difference is that proper encryption measures can make the data on the laptop inaccessible if stolen.Loss is another category that you can take action to avoid. Again, some loss may be inevitable – but loss is usually within your control (or your employees’ control). Many organizations involved in loss-related breaches noted undergoing extensive employee training in the wake of a breach. But why wait? You should regularly and thoroughly train anyone dealing with PHI before a breach ever happens. That way everyone is on the same page when it comes to how important the safeguarding of PHI is to your organization.
The same goes for unauthorized access or disclosure. This category is entirely in the hands of you and your employees. Make sure your employees know (reinforcing through regular training) the boundaries of information that can be accessed and shared. For example, curiosity about a patient is not a valid reason to access that patient’s record. And a juicy medical story is not a valid reason to share someone’s personal health information with a friend.Health IT has given us enough empirical evidence by now to show us that the human element places PHI more at risk than the technology itself. By addressing this head on through rigorous training, covered entities can dramatically decrease their risk of suffering the dreaded data breach.