Get Live Chat Request a Callback Get live demo

← Back

November Breach Summary

Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

All HIPAA breaches are investigated by the US Department of Health and Human Services – Office for Civil Rights (OCR). The OCR maintains a website that lists breaches under investigation as well as those that have been resolved. Reviewing this site can provide insight into what has gone wrong for other medical providers. It can help us to understand the steps we can take to avoid similar breaches in our practices. A review of the breaches between November 1 and November 23 reveals the following interesting information:

Who experienced the breach?

  • 2 Breaches occurred at business associates
  • 5 Breaches occurred at health plans
  • 19 Breaches occurred at health care providers

How did the breaches happen?

  • 12 Breaches due to hacking incidents
  • 12 Breaches due to unauthorized access to medical records
  • 1 Breach due to improper disposal of medical records
  • 1 Breach due to loss of medical records
  • 1 Breach involved a network server

What systems were involved in the breaches?

  • 8 Breaches involved paper records or plain films
  • 7 Breaches involved email
  • 1 Breach involved a desktop computer
  • 1 Breach involved the electronic medical record
  • Breaches during this time ranged in size from 1,428 to 176,857 patient records

Utilizing a cloud based electronic health records system can lull practices into a false sense of security when it comes to HIPAA. May providers have voiced the opinion “My EHR provider is HIPAA compliant and takes care of all my HIPAA Security”. Looking at the type and nature of the breaches in November, it does appear that cloud based EHR vendors are doing an exceptionally good job of protecting the information you are storing on their systems. But you are still at risk of a HIPAA breach or HIPAA incident.

This is important because it underscores that HIPAA compliance involves much more than electronic medical records.

When we think about HIPAA, we need to consider all aspects of our practice. Most breaches in November did NOT involve electronic health records. We see breaches due to paper records, plain films, email issues, and improper disposal of medical records. The protections built into our EHR systems do not extend into the other aspects of our practice that pose a risk of a patient privacy breach.

A vast majority of HIPAA breach investigations conclude that failure to do a proper HIPAA Security Risk Analysis or failure to update the Security Risk Analysis was one of the root causes of the Breach. A healthcare provider is required by law to have an up-to-date HIPAA Security Risk Analysis. Failure to complete the risk analysis can be considered “Willful Neglect”. Should a provider be found to be in willful neglect of the HIPAA regulations the federal government is REQUIRED by law to levy fines against the organization responsible for the breach.

However, when a provider has completed an up-to-date HIPAA Security Risk Analysis, they have a way to avoid fines associated with the breach. Should a medical provider experience a breach and have an up-to-date HIPAA Security Risk Analysis, should they be able to remediate the breach within 30 days of discovery; in this case the federal government is PROHIBITED by law from fining the provider.

A well done and up-to-date HIPAA Security Risk Analysis will help you to implement measures that will minimize the chance of a breach, and therefore prevent some breaches from happening. This same process will also be vital in helping you to avoid fines should your practice or organization experience a breach.

Your HIPAA Security Risk Analysis includes an action plan. This action plan is your Risk Mitigation Plan. These are the measures you need to put into place to minimize the possibility of a breach. Just producing the document is not enough, you MUST follow through on your Risk Mitigation Plan.

The HIPAA Security Risk Analysis is one of the requirements of the MIPS Program. With the end of the year only one month away now is a good time to review your Risk Analysis and your Risk Mitigation Plan.

If you have not updated your Risk Analysis recently or have never completed a Risk Analysis with Risk Mitigation plan, TLD Systems can assist you to complete this vital task before the end of 2020.

TLD Systems encourages you to take all steps necessary to avoid a breach and avoid being features on the OIG list of breaches under investigation which can be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Learn more about TLD Systems on the AdvancedMD Integration Partners website.



Avatar photo
Michael Brody, DPM
Dr. Brody has been actively involved in computers and medicine since the 1980s. He is a Residency Director at a VA hospital located in Long Island, NY. Notably, he was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees must adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick. They wanted to create a platform for private practice doctors that provides a cost-effective method of implementing HIPAA compliance in their practices. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-chair of the EHR workgroup at Health Level Seven International (HL7). He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)

Topic:


Other Resources Related to This Topic


No results found