The U.S. Department for Health and Human Services' Office for Civil Rights recently issued its annual report on data breaches that may have exposed protected health information, showing the number of people affected by data breaches has been on the rise. Between September 2009 and December 2012, the OCR received 720 breach reports that ultimately affected about 22.5 million people, according to the Annual Report to Congress on Breaches of Unsecured Protected Health Information.
The report also states that a greater number of the breaches have been from online hacks of Internet health websites rather than hacks through a stolen laptop or hard copies of documents from stolen boxes.
Risks of Noncompliance for Health Care Groups
Many smaller medical groups, such as clinics and hospitals, don't realize the significant penalties that come from noncompliance with federal data privacy and security regulations, said Ted Kobus, partner and co-leader of the privacy and data protection team at law firm Baker/Hosteller, according to Business and Legal Resources.
"They don't really understand the extent of compliance that's going to be required," Kobus said. "Many of them just aren't prepared to deal with an OCR investigation, and they're not prepared to show their compliance with the HIPAA security and privacy rules."
Kobus urged that covered entities under the Health Insurance Portability and Accountability Act (HIPAA), such as health care providers, take a proactive stance to protect themselves from legal liabilities by looking at state and federal regulations, along with keeping scrupulous documentation of everything that a company might do.
"Documenting and compliance are the two most important things," Kobus said. "If you're forced to do something that may not be exactly the way that you think the security rule requires you to do it, or you make a decision and accept a risk, the key is going to be documentation."
Recent Examples of Medical Data Breaches
There have been several data breaches impacting the health care industry as of late, according to iHealthBeat. One such case is a theft at a Pennsylvania-based hospital in which 661 patients' data were stolen in June. The information, which included patients' dates of birth, names and the last four digits of credit card numbers, was taken from hard copies of receipts
Another hospital in Providence, Rhode Island, was sued after a breach in 2011 affected 14,000 patients. This year, the hospital reached a settlement of $150,000, according to the source. The breach was caused when unencrypted back-up tapes disappeared from storage.
This is not including the potential cost that the hospital must pay for not being in compliance with government regulations. Companies must be careful to follow all rules and make data security a top priority.
Mark McCurley is information security advisor at CyberScout Solutions.
