Prepare for a perfect storm — data breaches are on the rise and so are the costs of HIPAA violations.
Last year put cybersecurity and compliance on the minds of providers across the country with some of the highest financial penalties to-date for violating HIPAA.
And so far, 2015 is proving hospital leaders are right to be worried about potential data breaches after two major health insurance carriers were hacked, resulting in the two biggest data breaches in the history of health care.
Now, new research is confirming data breaches are becoming more frequent. And an insider at the Office for Civil Rights (OCR) hints that the agency may be issuing even steeper fines for violators to spur HIPAA compliance from other providers.
Rise in large-scale breaches
The study, conducted by Kaiser Permante, reviewed the Department of Health and Human Services (HHS) database of large-scale data breaches over the past four years.
Researchers found that the number of breaches affecting at least 500 people has grown steadily. In fact, from 2010-2013, there were more than 1,000 large-scale breaches affecting a total of 29 million patients.
Some of the findings from the research reflect information from past studies, for example:
- About half of all breaches were attributed to the loss or theft of physical records, storage devices like USBs and laptops.
- Hacking continues to be a growing trend — more than doubling in four years –but still resulted in less than a third of all total breaches.
- Most of the hacking involved unencrypted data on providers electronic health records (EHRs).
Despite the continuing phase-out of physical records and storage devices, data breaches involving EHRs are expected to become more frequent as hospitals continue to expand EHR implementation across their operations, and adopt new health IT, such as cloud-based storage.
Higher cost of violations
And be assured that providers will be harshly dealt with for missteps like failing to encrypt devices with access to patient information.
And the consequences could put some of 2014’s fines to shame, predicts healthcare and privacy attorney Adam Greene in an interview for govinfosecurity.com.
Though nothing’s been released, Greene, who’s worked closely with OCR in the past, has reason to believe that the agency has some record-setting financial penalties coming later this year. Similar predictions from OCR-affiliated lawyers proved true last year, giving Greene’s warning added weight.
However, right now, a shift in leadership and other developments at the OCR has a lot of actions on hold, including the next round of HIPAA audits.
That means hospital leaders still have time to cross the t’s and dot the i’s of their compliance programs, and ensure that there’s documentation to support all the steps they’ve taken to guard patient data and prevent a breach.
As the risk for breaches and cyberattacks increases, hospital leaders will have to show they’ve taken every preventive step possible to keep the OCR from issuing crippling penalties.
