Technology
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

HITRUST: HIPAA Breaches Near $1 Billion

Dom Nicastro, for HealthLeaders Media, August 12, 2010

"What I'm seeing is that organizations are not taking any chances," Hourihan says. "If a breach has the slightest chance of harm, they're going to do the notification."

Based on his research, Hourihan offers these tips:

  • Encrypt portable devices. With the theft of laptops being the No. 1 cause for the type and location of breaches, Hourihan says organizations should "at the very least" make sure any portable devices are encrypted. And, if you can help it, remove any sensitive information.
  • Don't store information locally. A better option here is to get your information on network drives, providing users with an easy-to-use centrally managed and protected option. "Make sure nothing gets stored locally," Hourihan says.
  • Ensure BA compliance. BAs composed only 1/5 of the breaches on the OCR website, but Hourihan sees that climbing. "Across all segments of the industry, our data shows that third party security management is the least mature in control," says Hourihan, "and the BAs aren't the ones being called out when there's a breach."

Other notable numbers from the HITRUST report include:

  • 4,089,670 individuals affected
  • 38% of breaches include hospital/provider networks (No. 1)
  • 79% of individuals affected involve insurance plans (No. 1)
  • 31% of breaches involve laptops (No. 1)
  • 70% of records involve a theft (No. 1).
  • 18.5% percent of breaches implicate a BA

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Comments are moderated. Please be patient.

1 comments on "HITRUST: HIPAA Breaches Near $1 Billion"


Hipaa world (12/19/2012 at 3:15 AM)
Or if you are unethical and in interested in avoiding the publicity your organization might just cover over the breach. This is what is reported by word of mouth from an MA to another to have happened to a woman who's information was intentionally breached while held within the Promedica systems database. The authorities were less than helpful and indeed minimizing of the damage or certain existence of the breach. The health information became rumor mill and there was still no transparency or formality to the victim's inquiry. That is why the recent case of Somogey v Toledo Clinic was an interesting notion to those of us MA's who know of the intentional breach prior. Perhaps such a response complete with discipline, action and accountability is selective.