Software Solutions/EHR

HIPAA Breaches – What, Why, Where, How and What Must I Do?

An employee in the office of ROB Professional Editor Laurie Sorrenson, OD, FAAO, demonstrates how easily do HIPAA-protected information can be viewed by others in the room or anyone in the office who walks past.

An employee in the office of ROB Professional Editor Laurie Sorrenson, OD, FAAO, demonstrates how easily HIPAA-protected information can be viewed by others in the room or anyone in the office who walks past.

Managing and preventing patient information breaches in optometry.

By Joe DeLoach, OD, FAAO

August 7, 2024

Unlike a happy, carefree day at the beach with an umbrella drink, a breach of patient information is no fun and can be just short of a nightmare.

Data from the Office of Civil Rights (OCR) states that in 2023 breaches in the healthcare sector occurred at the rate of 1.99 PER DAY – and that is just REPORTABLE breaches (more on that later). That is a 37 percent increase in 2023 compared to 2022.

Doesn’t happen to optometrists? Just in the past 12 months, OCR data confirms reportable breaches in ten eyecare practices involving over 1.3 MILLION patient records. This does NOT include the breaches associated with clearinghouses and electronic medical record systems. Fines from OCR for breaches can be staggering. Really bad news? The average cost to resolve a reportable breach in 2023 was $4.45 MILLION. Got your attention yet?

WHAT is a Breach? 

A breach is an unsecured, unauthorized release or acquisition of patient information. There are two forms of breaches – reportable and non-reportable. Defining a breach is a five-step process – defining a reportable breach is a far more complex process. Doctors should consult with their compliance resource for help in making those designations if ANY information is released.

Failure to report a breach has dire consequences. A big misconception is that as long as the information is not used to cause harm, it is not a breach. A breach is the “release or acquisition” and OCR confirmed in 2023 that they can levy fines for release or acquisition even if the information is never used. This specifically relates to ransomware attacks, even if it is concluded that there is no risk the breach of data could in any way harm the patient. The simple fact a cyberattack occurred is now defined as a breach, even if the data is never used.

WHY So Many Breaches?

There are two answers. First, a dismal lack of concern among optometrists regarding privacy and security, and most all, healthcare compliance. Outdated, or even worse, NO policies, poor internet control, lack of staff training, use of weak password protocols or no protocols at all, and failure to invest in commercial grade IT devices and services, all leave the door open for an easy breach. But that still doesn’t answer why anyone would want someone else’s medical information.

The truth is they don’t. HIPAA privacy and security is no longer about medical information; it is about identity theft, and doctors have all the major demographics to create a new identity! Forbes reports in 2024, “the value of a health record can be worth as much as $1,000, whereas on the dark web, a credit card number is worth $5 and Social Security numbers are worth $1.” Sounds like a solid return on investment!

WHERE Do Breaches Occur? 

Breaches of patient information mainly come from the security (technical) side of HIPAA – over 65 percent to be exact. Protecting the privacy and security aspects of patient information is essential to reduce the size of your target to as small a bullseye as possible.  The dominant force in healthcare breaches is cyberattacks – especially ransomware. NinjaOne estimates:

  • Ransomware attacks occur 1.7 MILLION times a day a 37 percent increase in 2023 alone.
  • The average ransom paid increased in 2020 to over $85,000.
  • In 2023, the average cost resolution of a ransomware attack exceeded $1.8 MILLION including an average of 16.2 days of downtime.
  • Sixty-three percent of ransomware victims were small businesses, not the huge insurance companies that make the big headlines

The other 30 percent of breaches are the result of privacy issues, office policies and protocols. Read on to see how those happen.

HOW Do Breaches Occur? 

To quote the late, great Irv Borish – “everything that happens in your practice is your fault.” Although true, it is impossible to completely prevent any breach from occurring. You can do exactly what the HIPAA law requires of you – take reasonable steps to protect your patient’s personal health information. The concept of “reasonable” has been growing a lot recently.

  • Reasonable is NOT ignoring the law. That can result in up to $250,000 in fines over and above the costs to mitigate a breach.
  • Reasonable does NOT include trying to go this alone. Partner with a HIPAA compliance company providing programs that are easy to use, affordable and specific to optometry. The cost of maintaining these programs is insignificant compared to a privacy or security disaster.
  • Reasonable does NOT include weak, factory firewalls, dedicated and business-grade routers, and non-comprehensive virus, malware and spyware protection. Do not go cheap on technology here! A few thousand dollars in prevention can save you a million in reaction.
  • Reasonable does NOT include any folder or backup where information is stored without being encrypted.
  • Reasonable does NOT include storing information in imaging devices with outdated, unsecured servers. A Forbes report states that over half of these imaging devices do not have secure storage capability.
  • Reasonable does NOT include the use of unsecured e-mail and/or text systems and NEVER includes any staff transmitting patient information using their own e-mail or smartphone.
  • Reasonable does NOT include staff having open access to the internet. Access should be limited to only sites necessary to complete their job functions.
  • Reasonable does NOT include simple passwords made up by staff. Complex passwords assigned by the privacy officer or security officer are a must.
  • Reasonable does NOT include staff not trained in HIPAA protocols including cybersecurity training.
  • Reasonable does NOT include the concept of “one and done.” Compliance programs are living, breathing entities that must be cared for and updated.

WHAT do you do? 

Go back to “How Breaches Occur” and make sure you are checking off everything noted there. Healthcare compliance is 99 percent trying to do the right thing and then documenting those efforts with help from HIPAA experts.

An optometrist poses for a photo for an article in which he discusses how to follow all labor laws when working with remote employees.Joe DeLoach, OD, FAAO, is CEO of Practice Compliance Solutions. and former Clinical Professor at the University of Houston College of Optometry To contact: : joe@practicecompliancesolutions.com

 

 

 

To Top
Subscribe Today for Free...
And join more than 35,000 optometric colleagues who have made Review of Optometric Business their daily business advisor.