In the end, data breach mitigation cost MAHC about $289,000. More than half went to legal fees and the bulk of what was left went to pulling staff from other tasks to focus on breach mitigation. "Basically, you have to sweep everything aside and focus on this," Tripathi says.
A breach involving one specific covered entity had to be reported to the Office for Civil Rights, as it affected more than 500 patients. The OCR concluded that MAeHC was "in substantial compliance" with federal rules and did not fine the organization; the federal agency even went so far as to tell Tripathi that overlapping state and federal laws left the OCR unsure if it even had jurisdiction over the incident.
Tripathi decided to use the incident as an educational experience for others, as a lengthy post on the HIStalk Practice blog and subsequent interview with The New York Times suggest. "This kind of detail just doesn't get out there," he says.
It should. A recent analysis of healthcare data breaches by the Health Information Trust Alliance ( HITRUST) finds that incidents such as the MAeHC breach-involving lost or stolen and unencrypted laptops-remain all too common in the healthcare industry despite new rules that dramatically increase fines for data breaches.
All told, theft and loss account for 66 percent of the breaches of 500 or more patient records, and 82 of the total records lost, that have occurred since September 2009, the HITRUST report notes. Small physician practices, which make up the vast majority of healthcare organizations in the United States, are particularly vulnerable, the report says: "This industry segment is struggling and requires significant assistance due to a lack of available expertise and resources."
In an interview, Christopher Hourihan, principal research analyst with HITRUST, says small practices should focus on the basics, including training, encryption, firewalls and antivirus software-the same technology that savvy users have on their home networks. "Don't try to do anything all at once," he says. "Focus on the critical areas first and expand the program that way."
Speaking at the Privacy Security Forum, Leon Rodriguez, director of the Office for Civil Rights, agrees that encryption technology is key to avoiding breaches. (Under 2009's HITECH Act, the loss of encrypted PHI, or of encrypted hardware that contains PHI, is not considered a data breach.) Training matters, too, he adds, as there is always "some human frailty" to a data breach that's unrelated to technological vulnerabilities.
HIPAA Business Associates, Hackers Need an Organization's Careful Attention
The HITRUST report notes that data breaches involving HIPAA business associates-which, as noted, HIPAA-covered entities are responsible for-have accounted for 21 percent of breaches in the last three years and 58 percent of the records lost. This points to a need for "proactive due diligence," Hourihan says. It's been a problem, and it will continue to be a problem, because businesses sign a contract and then don't do anything else."
Sign up for CIO Asia eNewsletters.