Do not underestimate the importance of physical and administrative safeguards when securing patient data. According to Adam Greene, JD, MPH, attorney with the US DHHS Office of Civil Rights, 66% of patient-data breaches involving 500 patients or more were due to theft and loss (Figure 1). Just 7% were due to the more sensational category of hacking/IT incidents. Do not overlook paper records, either, as they accounted for 21% of large data breaches (Figure 2). Greene presented “HIPAA and Health IT: New Challenges, New Opportunities,” at the annual meeting of the Health Information and Management Systems Society on February 21, 2011, in Orlando, Florida.
Figure 1. Data breaches involving 500 or more individuals since 2003, by type of breach, according to information from the US DHHS Office of Civil Rights. There were 8,524 privacy complaints in 2010, up from 6,534 in 2004, the first full year that HIPAA regulations were in place. The top five privacy issues are impermissible uses and disclosures, lack of reasonable and appropriate safeguards, failure to provide an individual with access to a designated record set, failure to use or disclose the minimum necessary information, and inadequate complaint processes. As of December 31, 2010, there were 221 reports involving more than 500 individuals and more than 14,000 reports involving fewer than 500 individuals.
Figure 2. Data breaches involving 500 or more individuals since 2003, by location of breach, according to information from the US DHHS Office of Civil Rights.