Covered entities and business associates reporting breaches of unsecured personal health information (PHI) affecting 500 or more individuals to the Office for Civil Rights (OCR) together could spend nearly $1 billion because of those breaches.
According to a report from the Health Information Trust Alliance (HITRUST), 108 entities submitting the breach reports to OCR since September 23, 2009 could spend up to $834.3 million in total costs to address violations of the Health Insurance Portability and Accountability Act (HIPAA).
HITRUST used the 2009 Ponemon Institute study that found the average cost for a compromised record to be approximately $144 in indirect costs and $60 of direct costs, for a total cost of $204.
OCR's breach notification website list has grown since the HITRUST report, published this month. As of Wednesday, August 11, 130 entities have reported breaches of 500 or more.
Chris Hourihan, manager of development and programs for HITRUST and the author of the report, says organizations err on the side of caution and provide notice to OCR even if a risk analysis may determine no harm done from their breaches.
The breach notification interim final rule includes a "harm threshold" provision that allows entities to get off the hook from reporting breaches if they determine the incident does not pose significant risk of financial, reputational or other harm to the individual.
"What I'm seeing is that organizations are not taking any chances," Hourihan says. "If a breach has the slightest chance of harm, they're going to do the notification."
Based on his research, Hourihan offers these tips:
- Encrypt portable devices. With the theft of laptops being the No. 1 cause for the type and location of breaches, Hourihan says organizations should "at the very least" make sure any portable devices are encrypted. And, if you can help it, remove any sensitive information.
- Don't store information locally. A better option here is to get your information on network drives, providing users with an easy-to-use centrally managed and protected option. "Make sure nothing gets stored locally," Hourihan says.
- Ensure BA compliance. BAs composed only 1/5 of the breaches on the OCR website, but Hourihan sees that climbing. "Across all segments of the industry, our data shows that third party security management is the least mature in control," says Hourihan, "and the BAs aren't the ones being called out when there's a breach."
Other notable numbers from the HITRUST report include:
- 4,089,670 individuals affected
- 38% of breaches include hospital/provider networks (No. 1)
- 79% of individuals affected involve insurance plans (No. 1)
- 31% of breaches involve laptops (No. 1)
- 70% of records involve a theft (No. 1).
- 18.5% percent of breaches implicate a BA
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.