Research conducted by the HHS on breaches affecting 500 individuals or more has revealed that there are all kinds of HIPAA violation cases, infringing on administrative, security or technical safeguards. Interestingly, these breaches usually occur within certain parameters. Studies show that HIPAA violation is most commonly associated with:
- Unencrypted data – a number of cases had to do with lost/stolen data that was unencrypted
- It was found that around 49% of all data breach cases were due to the theft of physical records. This occurs when portable devices containing sensitive PHI are not secured with the help of pins, passwords and other security measures. Data stored on Smartphones and laptops is rather vulnerable, and so backup copies have to be necessarily made if you want to ensure data security.
- Employee negligence – these included employees disclosing sensitive PHI on social media networks, leaving unencrypted backup tapes with patient information in their vehicles parked off-premises, and even inadvertently sending patient data to contractors who posted it online, open to public access.
- Around 62% of violations were associated with a business partner, which means that healthcare entities need to be very discrete in selecting an associate.
- Failure to notify the HHS and affected individuals is another factor leading to HIPAA violation. It is mandatory that HHS be notified within ten days of a data breach, the documentation should include at least fifteen specific components related to the covered entity’s internal investigation, physical safeguards, procedures and policies, breach notification and risk assessment.