Reports of HIPAA breaches continue to increase.1 Daily headlines about hacking and ransomware are the norm, and so are solicitations from technology and security vendors who claim to have a solution. Staff and physicians cringe at the thought of more onerous technology processes that increase their misery.

Do the headlines tell the right story? Do IT vendors and HIPAA consultants really have all the answers? Can you make your practice completely safe from a HIPAA breach?  

Unfortunately, the answer to all three questions is “no.” To add insult to injury, not only are some remediation efforts needlessly costly and annoying to users, they can increase your risk.

HIPAA security doesn’t have to be complicated or scary

There is a lot of misinformation about HIPAA, many times originating from IT vendors trying to sell you something or ill-informed staff members trying to increase their importance. 

Many people try to overcomplicate the HIPAA Security Rule or are intimidated by it, thinking HIPAA is beyond normal human understanding. However, HIPAA can be boiled down to easily understood concepts. In common-sense terms, the Security Rule requires covered entities (CEs — in our context here, medical facilities) to protect ePHI (electronic protected health information) from theft, loss, destruction or unauthorized access, either intentionally or accidentally, by any entity inside or outside the CE.

What can we learn from the data?

The Department of Health & Human Services (HHS) Breach Portal (also known as the “wall of shame”) lists the 3,100-plus HIPAA breaches involving 500 or more individuals records reported since 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted.2 This amounts to 238 million patient records, which means chances are better than ever that your own records have been breached. Analyzing the data (see Table 1 and Figure 1) helps dispel some common myths and answers the following questions:

These large breaches are outliers; they represent the largest number of records (60%), but only a very small number of breaches (0.3%). Focusing on these large breaches obscures the relevant insights for a typical medical practice, and one can incorrectly infer the biggest threats are to health plans, large hospital systems and business associates, not to practices. Therefore, the top five breaches are excluded from the remainder of this article.

Figure 2 shows an alarming upward trend, not only in the number of records, but in the number of breaches as well. For the last five years there has been an average of roughly a breach a day.

As seen in Figure 3, theft and loss has more breach events than hacking/IT incidents. When you add theft and loss to unauthorized access/disclosure, those breaches are nearly double those of hacking/IT incidents.

In fact, hacking/IT incidents are really two large buckets, as many of these incidents do not fall under hacking, but typical “IT incidents,” including issues such as network/hardware failures, power outages, etc.

This means hacking is not really our biggest threat; it is processes within the practice. Further, a deeper dive into many of the descriptions frequently shows the underlying cause to be user behavior within the practice, which allows or enables hacker entry, despite technology protections such as firewalls, anti-malware, etc. This further shines the light on user behaviors as the root cause, rather than on technology.

What about the location of the breached data?

As one might expect, because the greatest concentration of patient data exists on the network server, it is by far the most common location listed for breached data (66.5 million records). However, it is instructive to look at the other locations where records were breached (Figure 4).

It is useful to ponder Figure 4 and ask, “Why is this ePHI being stored in these locations in the first place, making it easier to be breached?” We can conclude, based on the above analysis, that the biggest risks we need to address in our practices is user behavior, specifically users who are:

1. Storing data outside the EHR on paper, laptops, workstations, network folders, etc.
2. Storing data on anything portable (CDs, USB drives, etc.)
3. Sending large amounts of data on email (especially “sneakernet”; for example, emailing a large report to themselves or to a colleague to work on)
4. Enabling external hacking by clicking on links/opening email attachments that install malware, including viruses, trojans and ransomware.

What are the processes or procedures that enable or encourage bad user behavior? What causes users to export data from EHRs and PM systems, which are typically secure, and makes ePHI more susceptible to breaches?

Most recommendations to reduce HIPAA risk involve increasing user security, such as longer passwords, shorter timeout intervals and changing passwords more frequently. While changing passwords after a breach is a good idea, just like changing the locks on your doors after a break-in, forcing frequent password changes is not only frustrating, it increases risk because it makes it harder for users, especially those in clinic and those in management, to get their jobs done. Therefore, users are more likely to try to navigate around HIPAA-inspired barriers by exporting data from the EHR into unsecure formats such as Excel or PDF. If you make it hard to get into protected systems, the more likely users are to export data into unprotected settings. Users will also go to great lengths to overcome overly restrictive inactivity timeout intervals (hardware and software solutions exist for this). These user workarounds make ePHI even more vulnerable to theft, loss, improper access or hacking, rendering these HIPAA protections not only useless, but making them part of a bigger risk.

Poor IT systems design, and bad policies and procedures are culprits, made worse by someone invoking HIPAA as a reason to make clinic and business office use even harder. The solution is proper system design that supports clinicians and other users in proper workflows.

Another key question is this: With significant increases in EHR adoption over the last decade, why is paper still being used? It is because old workflows and archaic processes have not been optimized to properly take advantage of technology solutions. Unfortunately, breaches involving paper continue to be an issue, spiking in 2015, 2018 and 2019. Again, this is a practice/process issue, not a technology issue.

What do you need to do in your practice?

1. Recognize that HIPAA is:
   1. Understandable from a common-sense standpoint (you don’t need to memorize government regulations or become a network security expert)
   2. Not a tech issue — it requires the focus of the entire practice, from users to management, and involves ops, HR/legal, training and technology.
2. Avoid vendors and staffers who sow HIPAA FUD (fear/uncertainty/doubt), and stop allowing them to use “HIPAA” to implement bad processes that not only increase user frustration, they actually can increase your risk of a breach.
3. Understand that the following items, although necessary, are not sufficient in protecting your patients’ data, and your practice’s operations and reputation:
   1. Your annual HIPAA Security Risk Assessment (SRA)
   2. Your annual HIPAA staff training
   3. Your HIPAA and other policies
   4. Business associate agreements
   5. Cyber insurance
   6. Your EHR’s ONC certification (including the HIPAA requirements)
4. Do a security risk assessment:
   1. Identify where your ePHI is stored (not just in your EHR; in fact it’s all the ePHI outside of your EHR that’s at risk.)
   2. Figure out why that ePHI is being stored there, and eliminate that need or move it somewhere more secure.
5. Review/revise your 4 Ps:
   1. Policies — what you are going to do;
   2. Processes — how you are going to do it;
   3. People — who is going to do it, who it applies to, etc.;
   4. Products — tools/systems to track/guide/automate (where possible).
6. Reduce workarounds by fixing your processes and systems, making the “secure” way the “easy” way.

Using common sense and focusing on user behavior, along with taking necessary steps to improve your technology systems, will go a long way in reducing threats associated with HIPAA security. 

New HHS rules during COVID-19: “relax” does not mean “lax”

To enable some continued level of patient/provider contact for elective procedures during the COVID-19 lockdown, HHS announced it would use “enforcement discretion” concerning telehealth services that don’t meet every letter of the law of the HIPAA Security Rule. Many practices and providers seem to think this means HIPAA in general is being relaxed. This is untrue. The discretion only applies to telehealth services, so all other scenarios involving ePHI are still in place, and even telehealth services must be provisioned using “good faith” efforts of appropriate compliance.

In addition, once the public health emergency (PHE) is over, this HHS discretion is presumed to be removed, and all robust provisions of HIPAA Security pertaining to telehealth (and remote/virtual workforce activities as well) would need to be in place.

Even more importantly, the threat of HHS/OCR action is far from the biggest risk facing a practice for a possible HIPAA breach. Far greater potential risks (and costs) are represented by the direct impact of potential civil litigation and cost of credit monitoring for affected patients, not to mention the indirect and immeasurable effects of reputational damage to the practice of any kind of breach, including telehealth services, regardless of “enforcement discretion” by HHS. 

Notes:

1. Bitglass. The 2020 Healthcare Breach Report. Available from: bit.ly/2RfyTm9.
2. Office for Civil Rights. “Cases Currently Under Investigation.” U.S. Department of Health & Human Services. Available from: bit.ly/2Xc0yIg.

Learn more

Patient information is increasingly at risk of being inappropriately disclosed. This could occur through such events as loss or theft of a paper record or mobile device (laptop, tablet, cell phone) that contains protected health information (PHI), theft of office computers or servers, inappropriate access to PHI by staff or external individuals, or ransomware or other types of hacking attacks. MGMA’s HIPAA Breach Toolkit is designed to guide practice executives through the process of determining if a reportable breach occurred and the steps to take if the organization determines that a breach did occur: mgma.com/breach-toolkit.