Figures released by the Department of Health and Human Services´ Office for Civil Rights shared there were 199 breaches of “protected” health information last year affecting 7,095,145 patient records – more than the population of Massachusetts!
But this hardly tells the whole story, as the Office for Civil Rights is only required to reveal details of HIPAA data breaches in which the number of patient records compromised is equal to or greater than five hundred.
In fact, the Office of Civil Rights received more than 90,000 complaints about HIPAA data breaches in 2013; and even if you eliminate the 53,000 complaints that were closed because the Office of Civil Rights “lacked jurisdiction” from a withdrawn complaint or no violation of HIPAA, that leaves 37,000 complaints which (by default) were justified.
Incredibly, 90 of the 199 HIPAA data breaches reported by the Office for Civil Rights involved the theft of a mobile device or desktop computer – including the top three individual data breaches which alone accounted for 5.59 million compromised health records.
Now, just think about this for a minute. If the patient data contained on those three mobile devices and desktop computers had been encrypted as required by the HIPAA Security Rule, “only” 1.5 million patient records would have been compromised in 2013 – slightly more than the population of New Hampshire.
That is a massive difference for something which is relatively simple to do, so why are healthcare organizations failing to take the necessary steps to protect their patients´ healthcare information? The only possible explanation is that the encryption PHI was categorized as an “addressable” requirement in the HIPAA Security Rule and, left to their own devices, the healthcare organizations have just not bothered to “address” the issue.
The HIPAA Security Rule uses the terminology “addressable” and “required” in its technological, physical and administrative safeguards. “Required” does not need any explanation, but maybe (for the benefit of healthcare authorities) the term “addressable” does.
Addressable means that the standards of the HIPAA Security Rule must be implemented unless risk assessments conclude that the implementation of a particular standard is not reasonable and appropriate. If having conducted a risk assessment, it is found that a particular standard is not reasonable and appropriate, then alternative safeguards must be put in place to replace the addressable safeguard.
Here´s an example:
If PHI is being communicated between two devices in an office via a private network that does not use an open telecommunications channel, then there is no need to encrypt it. If however, unencrypted PHI is being communicated over the Internet, via email or via a text service, there is a substantial risk of HIPAA data breaches. Indeed anybody in the IT industry would say that it is practically inevitable that the data will be compromised over a period of time.
Most conducted risk assessments should identify that the open communication of PHI represents a risk that must be addressed. Failing to address the risk is not an option and represents “willful neglect”. The Office of Civil Rights comes down pretty hard on healthcare organizations who engage in willful negligence, as we see from the substantial data breaches over the last year.
When the Office of Civil Rights catches up with a healthcare organization guilty of willful neglect, it isn’t pretty. The following are just a handful of examples of financial penalties handed out to negligent healthcare organizations following HIPAA data breaches. The guilty organizations also had to adopt “corrective measures” and report to the Office of Civil Rights semi-annually on how those measures were progressing.
Recognizing a theme running through the above? When you leave healthcare organizations to their own devices – get encrypted or don´t expect much sympathy when HIPAA data breaches happen!
Learn how you can use TigerText to keep all communication encrypted and secure, no matter the device, today!