Step up HIPAA compliance by identifying what's getting other practices into trouble, and taking steps to avoid making the same mistakes.
All practices should be working hard to ensure they are HIPAA compliant. But with so much to focus on, it can be difficult to determine what compliance areas deserve the most attention.
One way to craft an effective, targeted compliance strategy is by identifying what's getting other practices into trouble most often, and taking steps to prevent similar mistakes at your practice.
At the Healthcare Information and Management Systems Society (HIMSS) conference in Chicago, Adam Greene, a partner at Davis Wright Tremaine LLP, a national business and litigation law firm, identified some of these common problem areas during his session, "Preparing for a New Level of HIPAA Enforcement."
Common Sources of HIPAA Breaches
To illustrate what's leading to breaches most often at practices and health systems, Greene shared top sources of HIPAA breaches involving 500 or more individuals by number of individuals affected.
He compiled the information in February 2015 from the HHS and its Office for Civil Rights (OCR) Breach Portal, which features information on breaches that occurred from the start of the breach reporting period in September 2009.
• 53 percent of breaches occurred due to theft of protected health information (PHI). "We're not talking about mission impossible hanging from a wire kind of theft," said Greene. Instead, he said, most of the thefts appear to be "crimes of opportunity," such as a thief breaking into a window or car and stealing a laptop.
• 18 percent of breaches occurred due to unauthorized access or disclosure of PHI.
• 8 percent of breaches occurred due to loss of PHI.
• 4 percent of breaches occurred due to improper disposal of PHI.
• 13 percent of breaches occurred due to unknown causes and unknown causes.
Common Types of Media Involved in HIPAA Breaches
Greene also shared the most common types of media involved in HIPAA breaches. Again, the information is based on data he pulled from the HHS and OCR Breach Portal involving 500 or more individuals by number of individuals affected.
• 23 percent of breaches related to PHI stored on paper/films. Of this statistic, Greene said it's clear that amidst the push for electronic information, paper-based media should not be overlooked when it comes to HIPAA compliance. "We really need to be more focused on paper," he said.
• 21 percent of breaches related to PHI stored on laptops.
• 12 percent of breaches related to PHI on a network or server.
• 11 percent of breaches related to information stored on a desktop computer.
• 9 percent of breaches related to information stored on other electronic devices.
• 6 percent of breaches related to information included in e-mails.
• 4 percent of breaches related to information in EHRs.
• 14 percent of breaches related to other types of media.
Common HIPAA Compliance Problem Areas
For more insight into the HIPAA compliance areas that practices are most struggling with, Greene shared some of the top issues identified during the HIPAA Pilot Audit Program, which took place between 2011 and 2012.
• In relation to the HIPAA Security Rule, the program found that 80 percent of providers did not have a complete or accurate risk analysis. Other issues found in audits included lack of access management (such as failure to put appropriate role-based access safeguards in place); failure to have appropriate security incident procedures in place (such as those related to workstation security); and failure to encrypt PHI.
• In relation to the HIPAA Privacy Rule, common problems identified in the audit program included: Inadequate procedures related to the Notice of Privacy Practices (such as not giving the notice out appropriately or failing to post it appropriately); and failure to have appropriate procedures related to patients' right to request privacy protections.
• In relation to the HIPAA Breach Notification Rule, common problems identified in the audit program included failing to provide breach notification appropriately (such as failing to include the proper content in the notification); and failure to comply with timelines regarding notification.