The Biggest HIPAA Breach Risks Are Not in your EHR System

Worried about potential HIPAA security breaches? You don’t need to worry about your EHR …and that’s the problem.

HIPAA Security - the forgotten twin

HIPAA was signed into law nearly 20 years ago by President Bill Clinton. With all the administrative overhead that has developed over the years as a result, it’s easy to forget that the “P” in HIPAA stands for "portability" (not "privacy," or “Pain-in-the-neck.”). It was designed to make it easier for our health records to be portable, so we as patients could have more choice and more control over providers.

That was clear back in 1996, and all medical practices, clinics, and hospitals dutifully developed and rolled out their HIPAA compliance policies, most of which created very little value for either patients or providers. 

The HIPAA Security Rule didn’t come out until 2003. It became effective in 2005, and it governed electronic records; up until then HIPAA only covered paper records. By that time, most practices and facilities were sick of HIPAA, and besides, HIPAA Security was much more complicated. Most practices assumed their IT departments and/or software vendors had HIPAA taken care of, so they largely ignored HIPAA Security.

ARRA/HITECH and Meaningful Use: The carrot and the stick …and it's a very big stick

The American Recovery and Reinvestment Act/Health Information for Economic and Clinical Recovery (HITECH) Act in early 2009 allocated billions of dollars to encourage healthcare entities to significantly increase their use of EHRs. Privacy interests were concerned about potential risks, and they managed to get a significant increase in penalties written into the HITECH verbiage. Specifically, the maximum fines were increased from $25,000 to $1.5 MILLION.

Under ARRA/HITECH, the number of practices that have adopted EHRs has nearly doubled, but the effective penetration rate is still under 50 percent. There are many reasons, including the mere fact that transforming an entire industry from paper to electronic is going to take more than just a few years.    Many pundits have also pointed to HIPAA risks as a reason to eschew EHRs. The thought process for some is that with Wikileaks, third-world hackers, and poorly designed software, EHRs represent an open door to HIPAA Security breaches. Some people make it just another excuse to ignore the many benefits of EHRs.

What do the actual HIPAA breach numbers show?

HHS has a website that lists all HIPAA breaches since 2009 that have involved more than 500 patient records. There have been nearly 700 reported breaches, and including a recent breach in Illinois involving nearly 4 million patient records, the total number of patient records is now nearly 27 million.

More importantly, what are the sources of those breaches? What can we learn about actual risks from the breach data?

First, by doing a simple word search through all of the words in all fields (location, type of breach, and summary description) the following five key words combine for more than 75 percent of the largest breach risks:

Theft: 32 percent

Laptop:17 percent

Computer:12 percent

Portable: 8 percent

Loss: 8 percent

A search of "location=" in the HHS database reveals five issues that combine for over 75 percent of all breaches:

Laptop: 25 percent

Paper: 23 percent

Portable: 12 percent ("other portable electronic device")

Computer:11 percent

Network Server: 10 percent

A search through "type of breach" reveals three issues that combine for more than 75 percent of all breaches:

Theft: 55 percent (includes theft plus other causes)

Unauthorized Access: 19 percent

Loss:12 percent

If you search through the HHS database for the word “EHR,” you indeed find it listed in 2 percent of the cases, but when you research the actual breach events, those incidents are not specifically related to, caused by, or within the EHR itself. They happen outside of the EHR.

Therefore, if a person argues that the increase of EHRs has increased HIPAA risk, the argument is not backed up by the data.

So what are the biggest HIPAA Security risks?

The biggest risks are not the Internet bad guys lurking in Who's-Bekistan, or a nascent genius trust-fund baby hiding in some darkened dorm room at High-Tech/Nerdy-University. The biggest risks are caused by - or enabled by - clinical and business office employees doing things with computer systems that they have no business doing, and doing it on IT systems that were poorly designed and poorly implemented.

The recent breach in Illinois was caused by theft of some laptops. That's not an IT problem, it's a system-design and human-behavior problem. Most of the other breaches have the same or similar root causes. Systems that are poorly designed, poorly implemented, and poorly operated are the root cause of the vast majority of HIPAA breaches.

IT systems should be designed such that no data is able to be stored on local devices, including laptops, workstations, portable USB drives, or any other device. They should be secured in a medical-grade data center environment, and old-fashioned client-server architecture, which has been the traditional model for the last 20 years, should be replaced with virtualized thin- or zero-client technologies. 

If you think the HIPAA compliance documentation from your EHR vendor makes you HIPAA compliant, you better think again.