Data breaches are prevalent in the healthcare industry, but 2023 was a record-breaking year. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported more than 725 incidents that exposed more than 133 million health records. These statistics reflect a growing concern for healthcare organizations—the mounting risk of Health Insurance Portability and Accountability Act (HIPAA) violations due to compromised Protected Health Information (PHI).
In addition to violating patient privacy, data breaches represent a massive financial loss for the healthcare industry. According to the IBM Cost of a Data Breach Report 2023, the costs associated with data breaches have increased 53.3% for the healthcare industry since 2020. For the 13th year in a row, the industry has reported the most expensive breaches, at an average cost of 10.93 million USD.
Since healthcare organizations handle physical copies of patient records, identity documents, insurance records, and other health-related documents, they are targets for bad actors. To better protect confidential information and help ensure HIPAA compliance, hospitals, health systems, and physician practices should have a comprehensive data security program that tackles potential hazards.
Understanding the Requirements for HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) stands as a pivotal legislation that ensures the protection of sensitive medical information. It serves as a cornerstone for data privacy and security provisions, specifically aimed at safeguarding the confidentiality of patient information. HIPAA comprises various rules and standards, prominently the Privacy and Security Rules, which set national benchmarks for the use, disclosure, and safeguarding of protected health information (PHI) along with electronic protected health information (ePHI).
HIPAA regulations apply to various organizations in healthcare, like hospitals, medical clinics, pharmacies, and others. Other types of organizations fall under HIPAA rules, such as health plans and healthcare clearinghouses. The U.S. Department of Health and Human Services (HHS) considers organizations that must follow HIPAA rules to be “covered entities.” Another type of organization which must safeguard PHI is a “business associate” who performs functions or activities involving PHI on behalf of a covered entity.
What Information Is at Risk?
Hackers and social engineers are looking for key pieces of data that can be used to commit identity theft and other nefarious activities. When they target healthcare organizations to steal this data, they consequently gain access to personal identifiers, which link patients to their healthcare data, including:
- Patient name
- Date of birth
- Social Security Number
- Health plan number
- Medical information
- Financial data
Documents housing this information should be considered sensitive and secured appropriately to safeguard patient privacy.
How to Help Protect Data and Prevent Breaches
Adhering to HIPAA regulations is vital for covered entities and business associates. By following these steps, organizations can better protect PHI and help prevent data breaches:
- Don’t Underestimate the Risks of Paper
While hacking incidents targeting electronic information rose by 239% in 2023, paper-based data breaches still accounted for 5.7% of all incidents. Due to the nature of the healthcare industry, it’s a safe bet that a majority of documents printed or otherwise generated during care contain PHI. Consequently, organizations must have policies and procedures that govern and support secure paper document handling, storage, disposal, and destruction.
An experienced shredding service like Shred-it® can provide document destruction at regularly scheduled intervals to ensure any confidential papers are securely destroyed. In addition, if an organization is going through a large-scale cleanout, such as when purging old paper-based medical records, a one-time, on-demand shredding is also a wise choice. To streamline both periodic and one-time shredding events, organizations may want to institute a shred-it-all policy that encourages staff to consider if there are any requirements to retain the document (in accordance with internal policy) and, if not, immediately and securely dispose of it. Unlike generic office shredders, a shredding service can handle a variety of formats, such as stand-alone documents, stapled and paper-clipped packets, x-rays, MRI recordings, and photographs.
- Old Technology Presents Hazards
In addition to safely destroying paper, it is also important that any data housed on outdated or unused technology is irretrievable, including data from old computers and photocopiers, USB keys, and CD-ROM or DVD storage systems. One of the most effective methods for disposing of old hard drives is to have them physically destroyed using a professional hard drive and media destruction service.
- Staff Training Is Essential
To help ensure policies and procedures are effective, organizations should train staff on how to preserve information privacy and security, including their role in paper handling, storage, and disposal. Vigilance in ongoing training that is current, relevant, and intelligence-based is key to improving awareness of potential attacks and response times.
Whether an organization needs to provide new hires, annual refreshers, or timely security reminders, online training can be beneficial because these programs are available 24 hours a day, 7 days a week and are kept current with the latest HIPAA requirements.
Download our info sheet to learn data security destruction best practices and which documents are most at risk of theft.