Lessons Learned From Recent Breaches
Those hoping to prevent major health information breaches should pay attention to valuable lessons to be learned from recent breach incidents reported to federal regulators.
So far, more than 120 major breaches have been reported to the Department of Health and Human Services' Office for Civil Rights as required under the HITECH Act breach notification rule. Some recently reported incidents point to the need to:
- Find out whether your business associates use subcontractors who know how to comply with HIPAA.
- Pay attention to the security of desktop computers as well as mobile devices.
- Be careful how you dispose of paper documents containing patient information.
Subcontractor Risk: South Shore Hospital in South Weymouth, Mass., hired Archive Data Solutions to destroy a number of backup computer files. The company, in turn, hired a third-party freight carrier, which picked up all the files to deliver them to a site for destruction, said an Archive Data Solutions spokesman. "Part of that shipment was lost," the spokesman acknowledged, so only a portion of the files was destroyed.
As a result, the hospital has notified 800,000 people about the breach.
The lesson: Be aware of the role that subcontractors can play.
Be sure to ask your business associates if they use subcontractors. Demand evidence that the subcontractors are reliable and follow adequate security procedures. And make sure those subcontractors have signed agreements confirming they are HIPAA-compliant. (A proposal to modify the HIPAA privacy and security rule makes it clear that both business associates and their subcontractors must comply.)
Desktop Security: A lot of attention has been drawn to the fact that a majority of the major breaches reported so far have involved the theft or loss of unencrypted mobile devices or media. But desktop devices also are vulnerable.
Montefiore Medical Center in New York recently notified 39,000 patients about two incidents involving the theft of unencrypted desktop computers containing personal information.
The lesson: When you're considering what computers to encrypt, keep in mind that laptops aren't the only devices vulnerable to theft. Desktop PCs also may merit encryption. And by all means, try to keep desktop devices behind locked doors after hours.
Pitching Paper: Drugstore chain Rite Aid recently paid a $1 million federal fine and agreed to adopt new security policies in the wake of media reports that some of its stores improperly disposed of prescriptions and pill bottles containing patient information. The information was discovered in easily accessible dumpsters behind stores.
The lesson: Shred documents before disposal, such as when making the transition from paper to electronic records.