Don’t Forget the Paper!
Offline Security Risks Are Alive and Well 

A lost backpack retrieved in a deli in Connecticut recently provided us with a timely reminder that security risks associated with protected health information are not limited to electronic threats. Many times, good old-fashioned paper is the culprit.

In this case, the lost backpack contained four notepads with handwritten sensitive information on about 400 participants in Access Health CT, the health insurance exchange operated by Connecticut under the Affordable Care Act.

It’s easy to get caught up in the complexities of cybersecurity. And of course, technology presents significant security risks to PHI. But we can’t lose sight of the fact that organizations are equally at risk of a breach from offline activities.

A misplaced piece of paper can lead to the same outcome as a stolen laptop or a hacked database. In fact, paper continues to be a major source of breaches due to missteps such as misdirected faxes and mailings and improper disposal.

These were the findings of a new study the HHS’ Office for Civil Rights. OCR recently submitted a report, Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 as mandated under the HITECH Act.

The report shows that in 2012, paper records were involved in 23 percent of major breaches and in a whopping 61 percent of smaller breaches.

The big takeaway here is something we advocate for regularly. Any HIPAA compliance program must take a balanced approach to ensure it considers policies, procedures, people and safeguards. Information security risks come in many different flavors, and from many different sources. Are you taking a comprehensive view?


Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.