Issue link: https://beckershealthcare.uberflip.com/i/1275740
54 CIO / HEALTH IT 10 common reasons for HIPAA violations By Laura Dyrda F rom June 2019-20, there were 393 protected health information breach incidents reported to HHS. e incidents included malicious email hacking, unauthorized access to EHRs, and inadequate third-party business agreements. Here is a list of common reasons for HIPAA violations: 1. Employee email phishing attacks. ere were 142 hacking inci- dents reported since June 2019 related to email attacks. Cybercrimi- nals are becoming more sophisticated with phishing emails, and ef- forts intensified during the pandemic. Despite hours of training and reminders, healthcare employees continue to fall victim to phishing emails, potentially exposing thousands of patient records. 2. Malware and ransomware attacks on networks. Cybercriminals are speeding up their ransomware and malware attacks on hospital networks, according to a report in The Wall Street Journal. Previous- ly, attackers would take more time to go through data before inflict- ing malware, but during the COVID-19 pandemic they have begun launching malware right away, because hospitals need data back im- mediately. 3. Medical record snooping. Several hospital and health system em- ployees have accessed medical records unnecessarily, which resulted in the employee being terminated or resigning. e temptation to gain information about individuals at hospitals is huge when hospi- tals treat high-profile individuals or cases. 4. Improper disposal of medical records. ere is a correct and incorrect way for healthcare organizations to dispose of medical re- cords, and improper disposal is a HIPAA violation. Seven healthcare providers disclosed earlier this year that some patient and employee records were dumped in unsecure locations. e institutions involved in the incident included Saint Joseph Health System in Mishawaka, Ind., which entrusted records that had protected healthcare informa- tion to Central Files to destroy some records and securely transfer others to storage. However, the company dumped some of the records in an unsecure place Saint Francis Healthcare in Charleston, S.C., also reported improp- er paper records disposal in January, which exposed 1,634 patients' records. 5. Theft of medical records. ere have been 39 incidents of medical record the in 2020 so far, including electronic files, files stored on stolen laptops and paper files. e largest the this year has been from Health Share of Oregon; the health plan reported a laptop containing information about 654,362 individuals was stolen. ere are also high consequences for stealing PHI; in May, a former clinic administrator was sentenced to four years in federal prison for accessing patients' medical records to steal their information and sell their identities. 6. Non-compliant third-party business agreements. Healthcare or- ganizations must choose their partners wisely; a business associate that doesn't comply with HIPAA, or that experiences a cybersecuri- ty incident can expose patient information and violate the law. e business associate was present in 91 of the data breach incidents in the past year and 41 of the breaches occurred among healthcare pro- viders' business associates. Optum360 reported the largest business associate breach in the past year with a hacking incident that affected 11.5 million individuals. BST & Co. also reported a hacking incident in February that affected 170,000 individuals. Both incidents were network server breaches. 7. Downloading PHI on unauthorized devices. Healthcare person- nel are busier now than ever, but they still must only access PHI on authorized devices. Clinicians and team members working virtually may access PHI only on authorized devices and must avoid down- loading them to unsecure locations. 8. Medical records exposed during natural disasters. Even the best- laid plans can be foiled by Mother Nature and other unforeseen phe- nomenon. Earlier this year, Community Health Systems in Franklin, Tenn., reported that a tornado damaged the Stat Informatics Solu- tions building in Lebanon, Tenn., and exposed around 2,500 of the system's medical records that were stored there. e facility also housed medical records from other organizations. e global pandemic has also paved the way for unintentional HI- PAA breaches. In the wake of the fast-spreading COVID-19 virus, many health systems updated processes and protocols for identifying employees who tested positive and deploy quick contact tracing to promote self-isolation among those at risk of further spreading the disease. On June 5, Yale New Haven Health reported that its occupa- tional health staff accessed a small subset of data related to COVID-19 in medical records as part of its efforts to ensure symptomatic staff and employees were notified of their COVID-19 status. e health system apologized to the 506 individuals affected. 9. PHI accidentally posted online. ere have been multiple inci- dences in the last year of hospitals and health systems, or business partners, inadvertently posting protected health information online. In May, Ashtabula (Ohio) County Medical Center accidentally posted an Excel spreadsheet on its website that included PHI; the spread- sheet was posted on Jan. 6 to comply with government requirements about medical cost disclosures. However, the hospital realized the spreadsheet also included PHI of around 3,683 patients. Castro Valley Health in San Ramon, Calif., a home healthcare ser- vices provider, inadvertently sent patient information to a third-party website. e incident, reported on June 8, affected patients who re- ceived care at CVH from 2016-17. e information was "heavily cod- ed" when published and has been removed from the website, called Docker Hub. 10. Loss of medical records. Eleven security incidents in the past year have included the loss of medical records. Notable instances oc- curred at Walmart, where 3,606 individuals were affected by a breach in February 2020, following a separate incidence in which Walmart reported 4,211 patients' information on a portable device was lost in October 2019. Renown Health in Las Vegas also reported a loss inci- dent affecting 27,004 individuals in August of 2019. n