Don’t Forget the Paper!
Offline Security Risks Are Alive and Well
A lost backpack retrieved in a deli in Connecticut recently provided us with a timely reminder that security risks associated with protected health information are not limited to electronic threats. Many times, good old-fashioned paper is the culprit.
In this case, the lost backpack contained four notepads with handwritten sensitive information on about 400 participants in Access Health CT, the health insurance exchange operated by Connecticut under the Affordable Care Act.
It’s easy to get caught up in the complexities of cybersecurity. And of course, technology presents significant security risks to PHI. But we can’t lose sight of the fact that organizations are equally at risk of a breach from offline activities.
A misplaced piece of paper can lead to the same outcome as a stolen laptop or a hacked database. In fact, paper continues to be a major source of breaches due to missteps such as misdirected faxes and mailings and improper disposal.
These were the findings of a new study the HHS’ Office for Civil Rights. OCR recently submitted a report, Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 as mandated under the HITECH Act.
The report shows that in 2012, paper records were involved in 23 percent of major breaches and in a whopping 61 percent of smaller breaches.
The big takeaway here is something we advocate for regularly. Any HIPAA compliance program must take a balanced approach to ensure it considers policies, procedures, people and safeguards. Information security risks come in many different flavors, and from many different sources. Are you taking a comprehensive view?
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017