Some of the most common HIPAA violations stem from employees making simple mistakes. A compliance program should emphasize this risk.

• A common mistake is sending an email to the wrong person.

• An Excel file may contain hidden tabs of protected health information.

• Look for groups of employees who may need more training.

A HIPAA compliance program must address the high-tech risks and threats that can lead to a data breach, but many violations are the result of simple, easily avoidable errors by employees. Focus on those as much as the more complex technological solutions, one expert suggests.

Recent research from Johns Hopkins Carey Business School in Washington, DC, and Michigan State University in East Lansing found that mailing mistakes by employees were the second most common cause of data breaches in a review of 1,138 incidents, accounting for 10.5%. Only theft by outsiders or unknown people accounted for more data breaches, with 32.5%. The third most common cause was theft by current employees, at 9%. (An abstract of the report is available online at: https://bit.ly/2VUPCeh.)

Pay Attention to Emails

The data support the need for technological safeguards like encryption, but they also highlight the need to help employees avoid basic mistakes like sending an email to the wrong person or sharing an Excel file with hidden tabs of patient data, says Mark Bower, chief revenue officer of Egress Software in Boston.

“Misdirected email is quite a significant risk for organizations. It comes about because with tools like Outlook or Gmail, you have the autofill feature that fills in an email address you’re typing, but quite often, it is the wrong one,” Bower says. “That can result in content that is inadvertently sent to the wrong recipient because the person was trying to do the right thing but the automation failed them.”

Another common risk is accidentally sending additional data along with the intended content, Bower says. This is an easy mistake with a spreadsheet program like Excel, he says.

“You may be intending to send only something fairly mundane, like how many new customers you acquired this month. But the report you send may have another tab on the spreadsheet, not obvious to you, that contains medical information on those patients or Social Security numbers,” Bower explains. “This is a simple error that even experienced users can make.”

Focus on Training to Avoid Errors

Better training and reminders about the risk can help with problems like misdirected email, Bower says. Some organizations also are beginning to use technology with artificial intelligence that can detect abnormal behavior — such as sending a type of data file to an email recipient who has never been sent that file before — and provide an alert, with options for correcting the possible error, Bower says.

“There is a shift toward taking on these guiderails from machine learning and artificial intelligence, providing a technological solution that addresses these very basic human errors, especially the kind that are facilitated by imperfect automation,” Bower says. “They aim to detect errors in even the most common situations. Then you can use the accumulated data to look at the employee population and see where you might have hot spots of employees who might need a little more guidance and training.”

In addition to simple errors, some employees resort to practices that they might know are improper because the employer has not provided a more secure way of communicating.

“Quite often, there are gaps created by the need to share information outside the realm of the electronic health record, which has built-in compliance controls,” Bower says. “You may need to share information with outside organizations for analysis or expert opinion. If the system makes that difficult, you can find people using workarounds like sending old-style CDs, jump drives, or even mailing out data in order to collaborate and get on with the job of providing healthcare.”


• Mark Bower, CEO, Egress Software, Boston. Phone: (800) 732-0746.