The Health Insurance Portability and Accountability Act is the key law governing privacy in health care. The key provision is that medical providers, insurance companies and others…
Unauthorized exposure of protected health information (PHI) is a very serious matter under HIPAA, but it keeps happening. The consequences can include heavy fines. Breaches happen because of a variety of causes. To stay HIPAA compliant, healthcare providers and other organizations that handle PHI need to be aware of the risks and do everything possible to reduce them. Causes can range from insufficient computer security to bad handling of physical records.
- 21st Century Oncology. An Internet security breach resulted in the theft of information on about 2.2 million patients from 21st Century Oncology. The stolen information included names, Social Security numbers, and insurance information. The breach occurred in late 2015 and was publicly reported in March 2016. Multiple class-action lawsuits quickly followed.
- Bizmatics. Bizmatics, a provider of electronic health record services, discovered a data breach in December 2015. It was the result of malware that might have been present since early in the year, and estimates of the number of patients affected have risen to 177,000. This breach affected multiple healthcare providers using Bizmatics’ PrognoCIS software. The breach wasn’t publicly reported till June 2016. Fortunately, it was reported that no credit card information or full Social Security numbers were leaked.
- California Correctional Health Care Services. There’s a certain irony when a provider of healthcare services to the prison system suffers data loss due to old-fashioned theft. California Correctional Health Care Services reported a data breach when a laptop computer was stolen from an employee’s car on February 25 of this year. The theft may have exposed the PHI of as many as 400,000 patients who were in California prisons between 1996 and 2014. The computer wasn’t encrypted, though all portable computers carrying patient information ought to be. CCHCS said the response would include “corrective discipline.” A 2008 court ruling had held that California’s medical services for prisoners were so bad that they violated the Eighth Amendment.
- Radiology Regional Center. High tech isn’t necessary for massive data loss. Radiology Regional Center in Lee County, Pennsylvania, accidentally released records on 483,063 patients due to a waste removal failure. On December 19, 2015, a truck was carrying old documents to a secure disposal center, in accordance with HIPAA rules. The records fell out, apparently because workers failed to latch the rear door, and papers flew all over the street. Employees scrambled to pick up the litter, but some documents could have gotten into the hands of criminals. Radiology Regional Center is no longer using Lee County Solid Waste Division to dispose of its records.
- Community Mercy Health Partners. Waste disposal issues also caused a breach with Community Mercy Health Partners in Ohio. On November 27, 2015, the police got a report of patient records in a public recycling container. A vendor had failed to dispose of the records properly. Staff retrieved all the documents found in the container, but it’s not certain whether others may have grabbed some of the records before that. Community Mercy began notifying patients on January 25, 2016. The papers were believed to have information on 113,000 patients. Like Radiology Regional Center, Community Mercy fired the vendor that was responsible.
These breaches remind us that small errors can have huge consequences. Making sure that Protected Health Information is really protected requires caution everywhere. Computers need to be secured and monitored against malware and intrusion. Passwords need to be strong. Portable devices need encryption. Old paper records have to be disposed of properly. It isn’t just an organization’s own activities that can open up risks. Vendors can be careless, and responsibility still falls on the healthcare providers that retain them. HIPAA compliance requires comprehensive risk assessment, followed by action to minimize all possible sources of breaches. It’s impossible to reduce the risk to zero, but it has to get as low as reasonably possible.
Visit us at SecureNetMD® to learn more about our HIPAA compliant solutions for the healthcare industry.