As we’ve discussed on this blog, EHR (Electronic Health Records) offers several advantages over its paper-based forebears. But paper-based patient records have one huge advantage over EHR: they’re harder to steal or expose.
Granted, paper files could be accidentally destroyed in a flood or fire, and I suppose people have stolen records for various reasons, but if you’re an enterprising criminal, wouldn’t you prefer to grab an unencrypted laptop from a storeroom or hack into a healthcare provider’s database, rather than page through a box of 30 paper files in the hopes of finding a few social security numbers or credit card slips?
In contrast, data breaches involving EHR are so commonplace that the U.S. Department of Health & Human Services has a Breach Notification Rule webpage documenting all “breaches of unsecured protected health information affecting 500 or more individuals.”
You can search it by Breach Type, which includes:
- Hacking/IT Incident
- Improper Disposal
- Loss
- Theft
- Unauthorized Access/Disclosure
Locations, which include:
- Desktop Computer
- Electronic Medical Record (EHR)
- Laptop
- Network Server
- Other Portable Electronic Devices
The state in which the breach took place, and the date.
You could spend days looking at these statistics, but to give you a taste of how varied (and at times nutty) these breaches can be, David Vogel of Layered Tech wrote a post compiling the Top 10 HIPAA Data Breaches of 2013.
Writes Vogel:
While penalties haven’t been handed down and lawsuits settled, each of the below likely represent millions of dollars in fines and settlements. For example, during 2013 HHS handed out penalties ranging from $150,000 to $1.7 million. Potential class action lawsuits and the cost of providing fraud protection for those affected can quickly propel those costs into the tens of millions or even billions.
The breaches listed in Vogel’s Top 10 sprung from a variety of mishaps from unencrypted laptops to a programming error. The number 1 breach, which affected over 4 million patient records happened when four laptops containing patient data, including social security numbers, were stolen. The organization responsible for allowing this breach, Advocate Medical Group, failed to notify affected patients “until more than a month after the theft [italics mine], and stated the laptops were password protected,” although not encrypted, says Vogel.
At the end of his post, Vogel offers two recommendations to keep yourself off this list in 2014. They are:
1. Encrypt any devices that touch patient data. This takes a concerted effort and investment, but as you can see from half of the top ten breaches, electronic devices get stolen, and password protection is never enough.
2. Choose business associates who value data security and HIPAA compliance as much as you do. Ideally, choose one who will guarantee it.
Of course, no data protection solution or framework is 100% effective, and the common refrain is to prepare for when (not if) a data breach occurs. If you experience a data breach despite all your precautions, I have one more suggestion:
3. Be transparent. If your patient records have been compromised, don’t wait a month to inform your patients! Let them know as soon as the incident has taken place, and provide them with actions they can take to minimize the fallout, whether it involves cancelling a credit card or checking in with the three Credit Bureaus for any peculiar activity.
You might even consider offering affected patients a free subscription to a protection service like AllClear ID, to show your good intentions in handling this breach. Doing so won’t inoculate you from penalties or class action suits, but such actions may help signal to patients that they can still trust you over the long haul.
