Home Health & Hospice Week

Hint: Most breaches are due to passive errors, not deliberate disclosures.

Based on evidence from recent HIPAAinvestigations, it’s not what you’re doing that will likely subject you to a breach enforcement — it’s what you’re not doing that could land you in hot water.

That was the word from Jim Sheldon- Dean, director of compliance services with Lewis Creek Systems during a recent Eli-sponsored Audioeducator.com webinar “HIPAAAudits in 2015 — Being Prepared and Avoiding Penalties.” The single biggest source of HIPAA breaches both small and big was theft, Sheldon-Dean said, which means that your failure to secure portable devices, cloud-based data, email passwords and other PHI-heavy sources is what’s putting you at the biggest risk.

Previous Data Shows You The Way

During previous reports to Congress in 2009 and 2010 about breaches impacting 500 or more individuals’ protected health information (PHI), 15 percent of breaches were due to loss, 56 percent to theft and another 5 percent blamed on improper disposal. These all represent old-fashioned physical security of valuable data, which means that “if you’d just kept your hands on it, whether it’s paper or electronic, you wouldn’t have had a problem,” Sheldon-Dean said.

Another 17 percent of significant breaches in this category were caused by unauthorized access or disclosure, and 6 percent by hacking.

For smaller breaches affecting fewer than 500 individuals, 53 percent of the breaches were due to theft and another 18 percent were due to unauthorized access or disclosure.

The takeaway: Make sure your data is all encrypted and secured, especially on portable items such as laptops, smartphones and memory sticks, which can easily be lost.

You should also have clear and well-documented safeguards on the portable media that handle ePHI, reduce risk via enterprise storage, check fax numbers and addresses regularly, be careful handling PHI that’s mailed and raise the security awareness of your staff members, Sheldon-Dean added.

Perform Your Risk Analysis

Whenever you do a risk analysis, remember that each risk issue has an impact and a likelihood, he noted. The impact refers to how great the damage would be — a lot of information about a lot of people with excessive detail would have a greater impact. Likelihood refers to how likely it is that the risk issue would become a reality.

Once you analyze your organization’s risk, if you find breaches to report, don’t just tell the government,

“We had a breach.” Instead, say, “We had a breach, we know what happened, we fixed the problem, we’ve had some improved training, policies and procedures, we’ve done some auditing to make sure everything is better, and you’ll never hear about this problem from us ever again.” If you include that type of information with your report, they’ll be less likely to ask further questions, Sheldon-Dean advised.

Audits ahead: There have been some indications about the upcoming HIPAA audit program and the fact that the government is actually going through the selection process for the audit targets, but there has not yet been a formal discussion outlining the details, Sheldon-Dean said. A description of when the audit program will hit and how it will work hasn’t been issued yet, but “we do know it’s getting closer and closer and they are hiring people to run the program … so they’re getting there,” he added.

You could be the subject of an audit after reporting your own breach, being the target of a complaint or via random audit, he said. If you do get audited, show the auditors that you have policies and procedures in place as required by the HIPAA Privacy, Security and Breach Notification Rules, and demonstrate that you’ve been using them. For example, show your training materials and rosters, show your security incident reports, and other supporting documentation.