Even with the HIPAA Security Rule, a massive increase in exposed health records has been reported in the 2019 Breach Barometer Report. That is not good news for the health care industry.
One of the main purposes of the HIPAA Security Rule is to make sure that electronic protected health information (“EPHI”) is secured in an adequate fashion, an auditable track of EPHI activity is kept and access to EPHI is controlled.
More Than 15 Million Patient Records Exposed!
Even though there was only a small increase in 2018 in the number of reported breaches, the 2019 Report noted that there were more than 15 million patient records exposed by those breaches.
Unfortunately, healthcare hacking incidents have been increasing steadily since 2016 and were the largest category of breaches in 2018, which accounted for 44% of those reported, followed by 28% of insider breaches, which can be difficult to detect without the proper tools in place. Loss and theft accounted for 14%, and the cause of 13% of breaches was unknown.
Why is it then that the number of breaches and records affected continue to rise every year? It isn’t because of lack of enforcement with the huge settlements that the U.S. Department of Health and Human Services has been getting over the past few years. It is possible that covered entities as well as business associates, even though being aware of the seven-figure penalties, these business entities may simply believe that those who were sanctioned were isolated cases “which couldn’t happen to them.” That is not what one would call risk management strategy.
One other reason is failure to conduct or update an initial risk analysis as required by the Evaluation Standard. Failure to conduct a risk analysis is willful neglect which is the highest category of penalty and one that cannot be waived.
Not Placing a Priority on HIPAA Compliance.
Another reason can be that, lack of time, lack of resources, or a decision that other compliance issues are more important, the health care industry does not place a priority on HIPAA compliance.
The average cost of a health care organization’s health record data breach is $355 per record, according to a new survey conducted by Ponemon Institute, which conducts independent research on data protection. So, if you haven’t done an initial risk analysis or updated your previous one, please consider to do so now!
It is extremely important to be sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties properly for you.
HIPAA does not specify how often to update it, but a general rule of thumb is to do so at least annually or when a significant change, such as a physical move takes place that could affect data security.
Be sure to keep any written documentation of all your HIPAA compliance efforts where you can find them quickly if DHHS shows up demanding your HIPAA compliance documentation.
For more information on the HIPAA Security Rule and a consultation, call RevPro Healthcare Solutions at 561-578-8400.