This detailed report describes the types and numbers of breaches reported to the HHS Office for Civil Rights (OCR) that occurred between 2011- 2012 and provides cumulative data on breaches reported since the September 23, 2009, when the breach notification requirements went in to effect. Additionally this report also describes the OCR investigations and enforcement actions with respect to the reported breaches and the actions taken by covered entities and business associates in response to the reported breaches.
It would be prudent for all covered entities and their business associates to pay special attention to the “Lessons Learned” section towards the end of the report.
HSS recommends that healthcare organizations pay special attention to the following areas in their compliance efforts to avoid common types of data breaches. My comments are in red.
Risk Analysis and Risk Management
Conduct a comprehensive Risk Analysis of the computing environment. Identify potential threats and vulnerabilities to all electronic protected health information (ePHI). This includes ePHI on computer hard drives, digital copiers and other equipment with hard drives, USB drives, laptop computers, mobile phones, and other portable devices, and ePHI transmitted across networks.
Take appropriate security measures to mitigate the identified risks to the ePHI.
Conduct a security evaluation when there are operational changes, such as facility or office moves or renovations,that could affect the security of PHI, and ensure that appropriate physical and technical safeguards remain in place during the changes to protect the information when stored or when in transit from one location to another. In addition, conduct appropriate technical evaluations where there are technical upgrades for software, hardware, and websites or other changes to information systems to ensure PHI will not be at risk when the changes are implemented.
Conduct a yearly security program review. Every organization undergoes changes in its personnel, technology and workflow. These changes may change the ePHI risk profile and new data security measures may need to be implemented.
Security and Control of Portable Electronic Devices
Ensure PHI that is stored and transported on portable electronic devices is properly safeguarded, including through encryption where appropriate. Have clear policies and procedures that govern the receipt and removal of portable electronic devices and media containing PHI from a facility, as well as that provide how such devices and the information on them should be secured when off-site.
Implement authentication, authorization and audit protocols to ensure that you know where the devices are at all times and who has access to them. These protocols should be well-documented.
Implement clear policies and procedures for the proper disposal of PHI in all forms. For electronic devices and equipment that store PHI, ensure the device or equipment is purged or wiped thoroughly before it is recycled, discarded, or transferred to a third party, such as a leasing agent. Obtain a certificate of destruction if using an outside recycling company that clearly documents the method of device destruction.
Physical Access Controls
Ensure physical safeguards are in place to limit access to facilities and workstations that maintain PHI.
Ensure that passkeys and other access credentials to facilities are deactivated or taken back when an employee resigns or is terminated from the company. Have proper policies and procedures for granting and/or terminating physical access to individuals.
Ensure employees are trained on the organization’s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI, and the safeguards that should be implemented to protect the information from improper uses and disclosures; and ensure employees are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.
You cannot underestimate the value of employee training. Employees are usually the weakest link in the security chain. Regular training is the only way an organization can create a culture of security within their workforce.