The Biggest Threat to HIPAA Compliance: Employees
When we hear of a security breach involving electronic protected health information (ePHI), we often assume it was an outside job. That isn’t always the case. In fact, more often than not, employees cause violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
Experian Information Solutions, Inc. reports in its 2015 Second Annual Data Breach Industry Forecast:
“Although there is heightened sensitivity for cyber attacks amongst business leaders, a majority of companies will miss the mark on the largest threat: employees. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls. Employees and negligence are the leading cause of security incidents but remain the least reported issue. According to industry research, this represented 59 percent of security incidents in the last year.”
On August 11, 2011, Lahey Hospital and Medical Center, Burlington, Massachusetts, notified the Office for Civil Rights (OCR) that a laptop was stolen from an unlocked treatment room during the overnight hours. The laptop was used to operate a computed tomography (CT) scanner and produce images for viewing. The laptop contained ePHI of 599 individuals.
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify individuals of a breach of their unsecured PHI. A breach affecting more than 500 residents of a state or jurisdiction must also be reported to prominent media outlets serving the state or jurisdiction, and the HHS secretary must be notified within 60 days of discovery.
HHS announced November 25, 2015, that a settlement had been reached between Lahey and the government. Lahey agreed to pay $850,000 and to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance plan.
“It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,” said OCR Director Jocelyn Samuels. “Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”
Regarding workstations, OCR recommends providers:
- Conduct a thorough risk analysis of all ePHI.
- Physically safeguard workstations that access ePHI.
- Implement and maintain policies and procedures for safeguarding ePHI maintained on workstations.
- Use unique user names for identifying and tracking user identity on workstations.
- Implement procedures that record and examine activity on workstations.
Additionally, screening potential employees for prior convictions would help cut down on introducing unethical persons into the workplace. Locking doors to rooms where devices that contain sensitive data are kept is prudent, as well.