Data breaches cost insurers big but providers more frequently

Health care providers reported breaches of patient health information (PHI) far more often than any other HIPAA-covered entity. However, insurers' fewer breaches still accounted for grossly more records.

Published online in JAMA Network, a new analysis found providers were responsible for 7 in 10 of all reported breaches of PHI between 2010 and 2017, yet accounted for fewer than 1 in 4 actual health records breached in that time. Essentially, the data reflects the sheer volume of massive insurer breaches, such as Anthem and Premera Blue Cross in 2015, but also illustrates the need for health care providers to adequately safeguard patients' protected health information (PHI) from nascent external threats.

Per HIPAA's Security Rule and the Health IT for Economic and Clinical Health (HITECH) Act of 2009, covered entities—providers, health plans, clearinghouses or business associates (BAs)—are required not only to preserve the confidentiality, integrity and security of patients' PHI, but also report its unauthorized disclosure after discovery of a breach. And in the years immediately following HITECH, covered entities did report breaches to the tune of 29.1 million between 2010 and 2013. And while that number is significant, it's only climbed higher in recent years with emerging technology and better understanding of covered entities' responsibilities.

Per their study, researchers from Massachusetts General Hospital Center for Quantitative Health analyzed the trove of public data collected by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to examine the nature and extent of breaches between 2010 and 2017. They found breaches ranging in size from 500 to 78.8 million records with the number of individual breach reports generally increasing with each passing year.

Health care providers were the most commonly breached entity during that time with 1,503 breaches accounting for a cumulative total of 37.1 million records. Next most common, insurers, reported 278 breaches between 2010 and 2017 but accounted for the largest share of breached records with a cumulative total of 110.4 million.

Moreover, authors describe an evolving shift in the way reported data breaches occur as hacking threats surpass physical theft in recent years. Although paper or film records were the most commonly reported breached—with 510 breaches comprising a total of 3.4 million records—network servers were reported breached 410 times for a total of 139.9 million records compromised. So, too, the most commonly breached locations shifted from laptop or film in 2010 to network server and email in 2017, authors note.

"Despite the ethical and legal obligation to protect patient privacy and efforts to establish best practices for health care information security, breach rates have increased and health care providers accounted for a large share of those breaches," the study states.

"Although networked digital health records have the potential to improve clinical care and facilitate learning health systems, they also have the potential for harm to vast numbers of patients at once if data security is not improved."

Act now: Are you HIPAA compliant?

Word to the wise: Nobody is immune from data breaches or cybersecurity issues, so it's important to make every effort to protect PHI, be it from malicious intent or mindless accident. Although cyberattacks are a very real threat to PHI, commonly it's something as painfully ordinary as a lost or stolen laptop or cell phone that had access to data or practice systems.

In a May 2017 AOA Focus article, Marc Haskelson, president and CEO of Compliancy Group, says the "human factor" represents the preponderance of violations reported on the OCR's "Wall of Shame." Compliancy Group, an AOAExcel^® endorsed business partner, offers a total HIPAA compliance plan and resources to help doctors of optometry navigate through HIPAA, HITECH and other federal regulations and enforcement.

In his experience, Haskelson says many breaches result from inadequate passwords to phishing scams and even lackadaisical building management, such as housing server equipment in an unlocked room. Time and time again, it's a lack of proper policies and procedures on the part of the provider that result in HIPAA compliancy shortcomings.

"The good news—the reality—is that most people don't get hacked because they're careful and use good, common sense," Haskelson says. "But in the world of cybersecurity, you must understand that if someone wants to hack your system badly enough, they will hack it."

Learn more about Compliancy Group's total HIPAA compliance solution.

The AOA also offers members HIPAA tools and resources to help practices begin developing policies that make your practice compliant, including a step-by-step overview to help understand the compliance process. Access the HHS' HIPAA for Professionals webpage.