In September 2009, the Health and Human Services’ Office for Civil Rights (OCR) began tracking healthcare information breaches affecting 500 or more individuals. Since this time, 489 breaches affecting 21 million individuals have been recorded. OCR began tracking breaches in 2009 as part of the HITECH Act-mandated HIPAA breach notification rule. Federal officials have said that a final version of the breach notification rule will be issued by the end of the year as part of an omnibus package of regulations that will include HIPAA modifications.
One of the most recent and largest breaches added to the OCR tally occurred at a multiunit healthcare facility in Mississippi. A statement released by the system’s representative and posted on their website indicates that they are committed to maintaining the privacy and confidentiality of their patients’ information at all times. During a review of their patient information system conducted in April of 2012, they became aware of a possible breach. Using a web portal, an employee of an affiliated physician’s office may have been accessing patient information that was intended for physicians’ eyes only.
This facility is one of the many healthcare providers auditing records access to clamp down on unauthorized usage. According to their HIPAA privacy/security officer, this hospital has reduced incidents of inappropriate access from 50 per month to fewer than one or two incidents every couple of months. The access monitoring system that the hospital uses is provided by FairWarning, a privacy breach detection service for healthcare providers. It provides alerts and daily reports on incidents of inappropriate access and allows the hospital to audit user activity simultaneously across all audit sources.
"Automated reporting alerts you to potential inappropriate activity within hours of occurrence, versus days, weeks, or months after occurrence," the HIPAA privacy/security officer says. "This is vital for detecting possible breaches quickly, so subsequent investigations can be launched in a timelier manner."
The constant modifications in HIPAA regulations and monitoring by OCR have made it vital for healthcare professionals to secure electronic protected health information (EPHI). The first step in safeguarding EPHI is to perform a risk analysis to determine the level of risk. In addition to providing training to employees and changing passwords routinely to prevent unauthorized access, healthcare professionals should also consider using an access monitoring system such as Fairwarning. Healthcare organizations should also ensure that affiliations and IT vendors are HIPAA compliant.
Our Dexcomm Experts have put together resources to assist you with HIPAA compliance
HIPAA & Your Business Associates
For more on the case study