It's tough being a keeper of patient health information these days. Even the most organized and revered entity--and those with seemingly adequate security safeguards--seems to eventually fall victim to a HIPAA security breach. And electronic records appear to be most vulnerable.
The number of covered entities reporting breaches of unsecured patient protected health information (PHI) affecting 500 or more individuals to HHS has now topped 300, up from 200 just eight months ago. The list of breaches, colloquially known as the "wall of shame" and available online on HHS' website, doesn't even include the thousands of breaches reported to HHS that affected fewer than 500 individuals, which aren't required to be made public.
But a quick perusal of the wall of shame reveals an unpleasant fact: of the 306 breaches listed, most of them involved electronic PHI, including the loss, theft, hacking and unauthorized access or disclosure of laptops, back up tapes, computers, emails, portable electronic devices and other electronics. Four breaches specifically involved breaches of a hospital's electronic medical records, including one suffered by Health and Hospital Corporation's North Bronx Health Care Network in New York, which affected a whopping 1.7 million individuals. Only 68 breaches, or 23 percent affected just paper records.
These are sobering statistics. And coupled with the rise in enforcement of HIPAA and increase in penalties for violations, providers really can no longer hide behind that "it won't happen to me" mentality.
But while no electronic system is foolproof, you can take at least some steps to reduce the risk that your EMR or other electronic device will suffer a security breach:
- Encrypt the data. Remember that only unsecured data whose security has been breached and whose breach may cause harm must be reported.
- Don't allow medical data to be downloaded from EMRs onto other equipment, such as laptops or flash drives, which may be more vulnerable to loss or theft.
- Make sure that your facility or office is complying with HIPAA's security and privacy rules, and that employees are appropriately trained.