Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1 The information provided to HHS provides companies with a high level of insight concerning the types of breaches that occur in the health care industry.
The data collected by HHS concerning breaches affecting 500 or more individuals in as of November 11, 2016 shows, for a second year in a row, unauthorized access or disclosure, such as misdirected mailings, break-ins of physical premises, and employees accessing PHI that is not necessary for their duties, are the most common forms of data breach in the health sector. The following provides a snapshot of information concerning healthcare data breaches.
The percentage of reported breaches caused by unauthorized access or disclosure.2
The percentage of unauthorized access or disclosure caused by paper records.3
The percentage of reported breaches caused by theft of hardware of all types.4
The percentage of reported breaches caused by hacking/IT incidents.5
Things to consider when reviewing your information security program in light of HHS data:
1. 45 C.F.R. §164.408(a)-(b).
2. U.S. Dep't of Health and Human Servs. Office for Civ. Rights, Breaches Affecting 500 or More Individuals, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (November 11, 2016).