Most HIPAA Breaches are Caused by Employees

Most HIPAA Breaches are Caused by EmployeesIt has been said that the most difficult interface to secure is the one between the chair and the keyboard. This bit of “nerd humor” actually has its basis in fact. Art Gross has written a very informative post titled “Your employees will cause your next HIPAA breach” concerning the most common cause of HIPAA breaches – your employees. Gross cites two recent examples where Protected Health Information (PHI) was leaked from the secured healthcare data environment by careless or poorly trained employees:

Lone Tree, Colo.-based Rocky Mountain Spine Clinic is notifying its patients of a HIPAA data breach after a former employee inappropriately emailed herself a document containing the protected health information of 532 patients.

The clinic announced the incident Wednesday and has since fired the employee, according to a report by the Denver Post.

The email sent to the former employee’s personal account contained patient names, insurance company data and information about patients’ surgical procedures.

And this one:

The Oregon Health & Science University has notified 3,044 patients that their protected health information has been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data.

The Google cloud Internet-based service provider is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information, according to officials.

The first example resulted in someone losing a job and an employer losing an otherwise valuable employee. The second example didn’t report the same fate but it’s possible (and likely) that an someone was dismissed there as well. In both cases, however, the real culprit may be the Covered Entities (CE’s) themselves. Were the employees properly trained in the handling of PHI? Were they periodically retrained? Was their training documented and were they tested for their mastery of the topics? These are rhetorical questions that point to the crux of the issue – are you adequately training your employees? You might assume my boney finger is pointed at the covered entities (physicians, etc.) but there are four fingers pointing directly back to me – the Business Associate (BA). Business Associates are often in contact with the same PHI as the employees and are now covered by the same breach notification rules and associated monetary fines as the covered entities. In other words, BA’s need to educate their staff and document both their training and their competency scores.

The take-home message is this – make certain you are providing the necessary training to your employees and be sure to choose your business associates carefully. Hipaa breaches can be avoided with good training. Assess your risks and make any necessary changes now. Retain valuable employees and avoid the embarrassment and financial pain of a data breach.