HIPAA Regulatory Alert: Report offers guidance on security threats

Analysis of HHS breach data shows gaps

Business associate breaches represent the greatest threat to a healthcare organization's data security, according to a white paper produced by Miami-based accounting firm Kaufman, Rossin & Co.

An analysis of all of the breaches posted on the Health and Human Services website between Jan. 1, 2010, and Dec. 31, 2011, show that in 2010, 42 incidents occurred in which a covered entity's breach was due to a business associate. In 2011, 32 incidents related to business associates were reported. The report shows that one in five breaches occurred at a business associate's location. (For more information about business associates and HITECH, see "Don't wait: Start reviewing BA agreements now," HIPAA Regulatory Alert, November 2010, p. 1.)

Some of the key numbers included in the report:

• 19.1 million — The total number of individuals affected by breaches of protected health information since reporting began in August 2009 through the end of 2011.

• 53% — Combined total of instances of theft.

• 9.7 million — Number of records compromised in the "other" category, which includes portables electronic devices, backup tapes, CDs, and X-ray films.

• Four — Florida's ranking, in 2010 and 2011, among states with the highest number of reported incidents. California was number one in 2011, and New York was number one in 2010.

• 71% — The percentage of computer breaches attributed to theft for 2010 and 2011.

Nearly twice as many individuals were affected by healthcare data breaches in 2011 versus 2010; however, fewer breaches were reported. The total number of unique covered entities involved in a breach also dropped in 2011 to 142 from 201 the year prior.

Changes in types of breaches for 2010 and 2011 were:

• theft: 53% of breaches in 2010, and 52% of breaches in 2011;

• unauthorized access: 19% of breaches in 2010, and 22% of breaches in 2011;

• loss: 16% of breaches in 2010, and 11% of breaches in 2011;

• hacking: 6% of breaches in 2010, and 6% of breaches in 2011;

• improper disposal: 6% of breaches in 2010, and 5% of breaches in 2011;

• unknown: 1% of breaches in 2010, and 3% of breaches in 2011.

Another part of the analysis looked at the compromised locations where data went missing. Laptops, paper, and "other" top the list. "Other" includes mobile devices such as tablets and smartphones.

Theft was the biggest threat to the safety of patients' health records. For breaches of information on laptops, 95% involved theft; for paper-based breaches, 26% involved theft. And for breaches of "other," which included mobile devices, 44% involved theft, and 42% involved loss.

The growing use of mobile devices by clinicians and staff members increases the risk of breaches due to theft, so report authors recommend strengthening and enforcing policies requiring encryption as well as controlled access. (For more information about protecting data on mobile devices, see "Beware of breach sources: Laptops and flash drives" HIPAA Regulatory Alert, May 2011, p. 1.)

Despite the improvements in some categories, healthcare organizations still have a long way to go before patients' information is fully protected. The report identifies areas of vulnerability so healthcare organizations can focus risk assessments within their organization.

To download a copy of the full, free report go to www.kaufmanrossin.com. From the top navigational bar, select "White Papers." Scroll down to "HITECH Act three years later. Are health records safe?"