Avoidable HIPAA Nightmares

August 2013Articles Western Pennsylvania Healthcare News

You may be familiar with the adage, “there is no such thing as bad publicity as long as they get your name right.” One place you don’t want your organization’s name to appear is on the HHS’s “Wall of Shame.” That’s the informal name of the list published by the U.S. Department of Health and Human Services (HHS) that posts large breaches of unsecured HIPAA privacy breach incidents affecting 500 or more individuals. Smaller breaches must be reported to HHS annually and are not subject to public disclosure.

What can you do to avoid this kind of ugly publicity and liability exposure? First, focus on the areas of greatest risk. Based on a 2012 report by HHS’s Office of Civil Rights (OCR), theft and loss represent 65 percent of large breaches. Laptops and other portable storage devices account for 38 percent of large breaches, paper records are 24 percent and desktop computers account for 15 percent. Only 14 percent are associated with improper access to email, network services or electronic medical records.

If data is encrypted in a manner consistent with the standards of the National Institute of Standards and Technology (NIST), such data will be considered to be “rendered unusable, unreadable, or indecipherable to unauthorized individual persons” and therefore no longer “unsecured.”

Another priority should be to limit the use or disclosure of PHI to the “minimum necessary” to accomplish the intended purpose.