Here are some unexpected sources of HIPAA data breaches
Your data security plan likely focuses on your server, workstations, backup and external media. However, no matter how robust your security solution is, training and compliance must be met consistently among the staff, and across all of the possible sources of patient Protected Health Information, whether electronic or on paper. Here is a list of 8 unexpected sources that data has been breached from otherwise compliant practices.
1. Copy or Fax Machine Replacement
Keep in mind that your copiers and fax machines may store information electronically. The Affinity Health Plan paid $1.2 million to settle potential violations after disclosing PHI of almost 350,000 patients, according to HHS. This breach occurred when the health plan returned multiple photocopiers without erasing the data contained on the hard drives.
2. Incorrect FAX number
Double-check where you are faxing your patients’ data. One doctor’s office accidentally faxed a patient’s HIV status to his place of employment instead of his healthcare provider, according to HHS. The employee responsible for the breach received a written warning, and both the employee and physician apologized to the patient. OCR also required the practice to revise its fax cover page to underscore a confidential communication for the intended recipient. There is no indication that any fine was levied for the disclosure, but the breach was made public.
3. Unattended Delivery
After a physician retired and put his practice up for sale, one health system took custody of almost 5,000 patient medical records. Employees of the health system left several cardboard boxes containing these paper records on the driveway of the physician’s home. The health system had to pay $800,000 and adopt a corrective action plan, and the media was alerted.
4. Social Media
A medical center was held responsible for a breach due to one of its employees posting a photograph of a medical record, as reported in the Los Angeles Daily News. Apparently, the employee found humor in the diagnosis of the patient, and the post was available publicly due to the privacy settings on the account.
5. Working from Home
A hospital employee took documents home with her and left them on the Boston subway system. The documents contained PHI of almost 200 patients, and were never recovered. The hospital was made to pay $1 million to settle claims that it violated privacy rules by allowing an employee to bring sensitive charts offsite.
6. High Profile Records
On many occassions, hospitals and physicians have been held accountable for employees reading the records of its more high profile records. Patients such as Tom Hanks, Leonardo DiCaprio, and Nirvana’s Kurt Cobain were among the charts that were breached. According to the Jounral of AHIMA, a researcher was the first person to be sentenced to federal prison for a misdemeanor HIPAA offense.
7. Media Frenzy
One medical center had a high profile injury which began a media frenzy from several media outlets. The patient never gave his consent, yet the medical center reported on the status of the patient to the news. The medical center paid almost $300,000 in a monetary settlement to the patient.
8. Chart Flagging
A patient complained to OCR after he noticed his dental provider was flagging its medical records by placing a red sticker with the word “AIDS” on the outside of the record, where the name of the patient is visible. Patients and unauthorized staff could easily read the sticker. OCR required the practice to revise its policies and procedures to move medical alert stickers to the inside cover of the records.
The moral is that no matter how many controls you have on data and the nature of your policies and procedures, mishaps from employees can lead to breach. Keeping audit trails and regular HIPAA training in place can help maintain the compliance that your practice has fought hard to meet.