According to new data, the number of patients affected by HIPAA breaches in 2015 has increased by more than 800 percent since last year.
And these numbers are actually on the low end because the Office for Civil Rights (OCR) Breach Portal only tracks breaches affecting 500 or more individuals.
Here’s a breakdown of the data.
In 2014, the breach portal received 285 reports of data breaches affecting 500 or more individuals. The incidents involved a mix of business associates, healthcare providers, and health plans. Providers ran the gamut from single-physician practices up to multi-specialty organizations.
The bulk of the breaches involved the following:
· Improper disposal – 10
· Loss – 28
· Hacking/IT incidents – 31
· Unauthorized access/disclosure – 68
· Theft – 109
Total individuals affected by the 2014 reported breaches surpassed 12.5 million.
2015 data is still being reported, but as of December 4, 2015, there had been 246 breaches reported via the portal. Again, those are only breaches affecting 500 or more individuals.
Entities reporting via the portal include business associates, healthcare providers, and health plans. Similar to 2014, providers encompassed everyone from single- to multi-physician practices.
The breaches were categorized as follows:
· Improper disposal – 5
· Loss – 22
· Hacking/IT incidents – 55
· Theft – 73
· Unauthorized access/disclosure – 91
Although the total number of 2015 breaches will likely be lower than in 2014, the quantity of individuals affected has skyrocketed.
More than 113 million individuals have fallen victim to the breaches this year, resulting in an 800 percent increase from 2014.
The Office for Civil Rights hasn’t exactly been shy about assigning HIPAA breach settlements this year either. They’ve already handed out four, six-figure settlements, plus the latest one of $3.5 million to Triple-S Management Corporation.
With each passing settlement, OCR Director, Jocelyn Samuels, has remained clear on the immense responsibilities placed on all healthcare organizations. “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”
Many of these breaches could have been avoided or significantly reduced in their reach if a thorough risk assessment had been completed. Organizations often fail to evaluate all potential breach pathways, including mobile devices and proper disabling of employee network access following termination.
This free security risk assessment tool can get you started, but you’ll definitely want a more in-depth analysis too.
At a minimum, you should look for an assessment program that evaluates the:
· Code of Federal Regulations (CFRs) for the HIPAA Privacy Rule including the areas of general authorization, uses and disclosures, and administration of policies and procedures.
· CFRs for the HIPAA Security Rule including the areas of administrative, physical, and technical.
· impact of all verbal, written, and electronic communications on personal health information.
One such program that satisfies the OCR’s requirement for an annual risk assessment is HIPAA My Way (screenshot below).
For even greater coverage, organization should couple this with customized HIPAA policy and procedures templates.
Are you surprised with this huge increase? What is your healthcare organization doing in terms of prevention? Please join the conversation below.