Clarifying the Confusion Part III: Worst Case Scenario Security Breaches

By Terry Edwards  /  07 May 2013

HIPAA breachCompliance involving PHI is certainly high on the list of stress-inducing issues for healthcare leaders. And who can blame them? HIPAA violations can be extremely expensive, leaving these already-strapped organizations in an even more stressful financial situation.

For example, in 2012 the Massachusetts Eye and Ear Infirmary reached a $1.5 million agreement with HHS and agreed to enact corrective actions after an employee’s laptop containing unencrypted PHI was stolen. In another case, Blue Cross/Blue Shield of Tennessee reached a $1.5 million agreement with HHS after 57 unencrypted computer hard drives containing PHI of more than one million individuals was stolen from a leased facility. The health plan also incurred more than $17 million in direct expenses related to the investigation and remediation of the incident.


When it comes to securing PHI, these are some of the key issues keeping hospital execs up at night:

HIPAA fact

HIPAA Fact: Since 2003, the OCR has investigated more than 77,000 complaints of HIPAA violations, requiring correctiveaction in more than 18,000.

PHI data breaches are increasing in frequency – During the first three years after the compliance deadline for public reporting of PHI security breaches affecting more than 500 individuals, the HHS Office for Civil Rights (OCR) received reports of almost 500 such events. These breaches affected the PHI of more than 21 million individuals – and just over half of the events were the result of theft, with another 20 percent due to unauthorized access or disclosure. Thousands of breaches affecting fewer than 500 people also occurred, although public reporting of these incidents was not required at the time.

  • Audits will put risk assessments under the microscope – Prior to last year, HIPAA audits occurred only after a breach. Now, the HHS is being proactive, and will begin the audit process with a review of every organization’s risk assessment. In the HHS’ pilot audit program, two-thirds of participants – including 80 percent of providers – did not have a complete and accurate risk analysis. So providers need to prepare for the OCR’s permanent and expanded audit process and take an even closer look at risk assessments.
  • Drivers of compliance issues are evolving – One of the most frequent HIPAA compliance issues has been lack of administrative safeguards of ePHI. And in a 2012 study by the Ponemon Institute, 94 percent of the 80 CEs surveyed reported at least one data breach in the past two years. Nearly half reported more than five incidents, up from 29 percent in 2010. In these cases, the most common cause of breaches was loss or theft of a computing device (46 percent).
  • State regulation is also a concern – Most states have data breach notification statutes that apply to PHI, and state attorneys general have been actively investigating potential breaches. In 2012, South Shore Hospital reached a settlement with the Massachusetts attorney general’s office for violation of federal HIPAA provisions and state consumer protection laws. The hospital agreed to pay $750,000 and implement extensive corrective action after two boxes of unencrypted backup tapes containing PHI of more than 800,000 individuals were lost during shipment to an off-site facility.

These and other highly visible cases underscore the potential consequences of PHI breaches in cost and organizational reputation in the marketplace—and emphasize the importance of a proactive communications risk management strategy. In part IV – the final post in our security series – we’ll introduce strategies for safeguarding electronic communication of PHI.

Leave a Reply

Your email address will not be published. Required fields are marked *