Breaches of Fewer Than 500 Patients No Less Severe
Your practice can no longer brush off breaches of electronic patient health information (ePHI) files if fewer than 500 patients are exposed. Small breaches carry the same risk for all providers, according to HIPAA and HITECH regulations.
The Hospice of North Idaho’s recent breach settlement with the Department of Health & Human Services (HHS) of $50,000 is the first case settled involving fewer than 500 patients. In the Idaho case, a laptop with 441 records was stolen in 2010. During its review, HHS’ Office for Civil Rights (OCR) determined the hospice failed to conduct a risk analysis to safeguard ePHI, and had no policies or procedures to address mobile device security. According to HHS, ePHI breaches nearly doubled last year, mostly as the result of lost or stolen laptops.
A breach is defined by HHS as “the unauthorized acquisition, access, use, or disclosure of protected health information, which compromises the security and privacy such that the use of the information poses significant risk of financial, reputational, or other harm to the affected individual.” Regarding electronic PHI, only breaches of “unsecured” ePHI trigger the notification requirement.
When a breach occurs, a notice must be sent to all affected individuals within 60 days. The notice can be sent by regular mail or email (if permission was given)—or, if this information is outdated, by alternative methods such as the web or print advertisement. If the breach involves PHI for more than 500 individuals, the breach must also be reported to a major media outlet serving the affected individuals. You must include the following in the notice:
- The date of the breach and when it was discovered
- A brief description of the incident that led to the breach
- Description of the unsecured PHI involved
- Suggested steps individuals should take to protect themselves against any problems stemming from the breach
The best strategy is to avoid a breach. Include mobile device security in your compliance plan, and take the time to analyze what practices put your data at risk. Can risks be eliminated? A hospice or home health agency, for example, needs its staff to carry laptops to patients’ houses. Use of the Cloud for ePHI storage rather than the computer’s hard disk, along with extensive training about computer security might prevent similar breaches.
Perform a thorough assessment of potential risks to the confidentiality, integrity, and availability of ePHI your practice holds, and implement security measures that are reasonable and appropriate to reduce risks and vulnerabilities to an acceptable level.