The PHI Data Breach: Revisiting Human Error Risk
A recent OCR settlement about improper disposal of PHI at a dermatology clinic brought home the fact that despite the decades of HIPAA, healthcare organizations still make serious errors handling PHI. The clinic reported the PHI data breach, which upon investigation, showed the clinic – for over ten years – had been throwing away specimen containers without removing identifiable information. PHI clearly shown on the container labels included patient names and dates of birth, dates of sample collection, and even the provider’s name. It was a jaw-dropper.
Discarding PHI in an appropriate manner not only protects people from having their personal information exposed but also protects the healthcare organization from the reputation buster of an OCR investigation. Not to mention the financial cost. The PHI data breach mentioned above cost the dermatology practice $300,640. Plus they get to implement a corrective action plan that includes two years of close monitoring.
While it’s hard to fathom that a healthcare organization in 2022 could make such a blatant mistake, keep in mind that human error remains as big a risk to healthcare data as any cyber threat. To rely on annual training won’t keep HIPAA or other privacy and security best practices top of mind. Turnover, change in technology, systems, and lack of accountability, all contribute to potential PHI data breach risks.
Instead consider quarterly privacy and security reviews, online quizzes, pen testing, phishing awareness training, and so forth. Humans make mistakes, but training and reminders make those costly and embarrassing mistakes less likely.
Providing repetitive privacy reminders on how PHI is to be handled, including its destruction, is vital to preventing your organization from being on HHS/OCR’s “Wall of Shame”. Teach and teach again. Your workforce is your first line of defense against a data breach. They need to know how to handle PHI – from intake forms to how to destroy information prior to disposal.
Regular training is crucial to a successful HIPAA Compliance program, not to mention privacy and information security best practices. Management also needs to conduct periodic assessments with the aim of identifying potential problems – think risk management activities – while taking the opportunity to remind your workforce members of expectations.
Has it been a while since you assessed your data breach risks? Conducted HIPAA awareness and information security training? Contact Apgar and Associates to learn how we can help you get back on top of the basics or take it to the next level with certification readiness for SOC2 or HITRUST.
Kevin Haralson, MBA, CCSFP, CHP is a senior compliance analyst with Apgar and Associates. He works with clients on HIPAA Privacy and Breach compliance assessments, certification readiness, and security risk analysis.