Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).¹ The information provided to HHS provides companies with a high level of insight concerning the types of breaches that occur in the health care industry.

The data collected by HHS concerning breaches affecting 500 or more individuals in as of November 11, 2016 shows, for a second year in a row, unauthorized access or disclosure, such as misdirected mailings, break-ins of physical premises, and employees accessing PHI that is not necessary for their duties, are the most common forms of data breach in the health sector. The following provides a snapshot of information concerning healthcare data breaches.

Things to consider when reviewing your information security program in light of HHS data:

1. Implement different access levels for employees’ access to PHI based on their job duties;
2. Immediately stop access to PHI by terminated employees and escort them if necessary;
3. Require a two-step verification process to ensure that mail and email recipients’ information is correct before sending invoices or appointment reminders;
4. Transition from paper records to secure, encrypted computer databases;
5. Shred paper records when no longer needed;
6. Prevent break-ins by implementing physical safeguards such as security alarms, security guards, and locks on windows and doors.

1. 45 C.F.R. §164.408(a)-(b).

2. U.S. Dep't of Health and Human Servs. Office for Civ. Rights, Breaches Affecting 500 or More Individuals, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (November 11, 2016).

3. Id.

4. Id.

5. Id.

[View source.]