From cell phone hacks to bank account scams, cybersecurity has become a priority for most people looking to protect their personal information.
But while there are some risks associated with digital storage, electronic health record management systems provide more security than records kept on paper, which are more vulnerable to physical damage, human error and theft.
And since effective information resource management and HIPAA compliance includes protecting paper hard copies, along with electronic patient health information, health care organizations need to be more vigilant than ever.
Thousands of Paper Records in the Open
In one of the largest data breaches in recent years, the privacy of hundreds of thousands of patients in Florida was jeopardized when, in December, medical records, billing statements, registration information and accounting records were strewn in the streets of Fort Myers, due to a transportation security accident.
The paper files, some more than ten years old, were being stored at the Radiology Regional Center and were due to be destroyed. But the doors to the vehicle that was transporting the records was not properly secured, and on the way to the county incinerator, boxes brimming with sensitive material were dumped on the street, tying up traffic and putting more than 480,000 patients at risk. Most of the records were recovered during the center’s clean-up efforts, but there’s no way to know whether other documents were stolen by onlookers or potential thieves. [Link to http://www.hipaajournal.com/480000-patients-notified-of-radiology-regional-center-phi-exposure-8322/]
The month prior to that, in a dumpster in Springfield, Ohio, a private citizen discovered piles of medical records containing medical diagnoses, health insurance information and Social Security numbers, among other information. The records belonged to Community Mercy Health Partners, and an investigation found that a HIPAA business associate did not properly dispose of them. According to the Department of Health and Human Services’ Office for Civil Rights, at least 113,000 individuals were affected by this incident, and no one knows whether unauthorized individuals or members of the public had the chance to look through these materials. [Link to: http://www.hipaajournal.com/community-mercy-health-partners-notifies-patients-of-november-data-breach-8283/]
Paper Important Part of Compliance
HIPAA regulations encompass PHI in any form, including paper. Proper compliance mandates medical records be permanently destroyed when they’re no longer needed, and in a way that renders them unreadable, indecipherable and unable to be reconstructed. According to the OCR, this might include shredding, burning, pulping or pulverizing the paper.
Because many health care organizations do not have the ability to properly destroy records in-house, the way records are transported to other facilities for destruction – in the case of the Fort Myers breach, the county’s incinerator – is also covered under HIPAA.
According to OCR survey data, 97 percent of hospitals reported having a certified EHR technology as of 2014. But paper is still in use, and older medical records that date back to before EHR implementation may still be stored.
Paper breaches have actually been on the rise each year since 2010. An estimated 229,743 people were affected by an information breach involving paper or film records in 2015. Among data breaches affecting 500 or more people, the number of incidents involving paper or film records rose from 46 in 2010, to 67 in 2015, one-quarter of total data breaches that year. [Link to healthit.gov http://dashboard.healthit.gov/quickstats/pages/breaches-protected-health-information.php or text source: U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Breaches Affecting 500 or More Individuals. February 1, 2016.]
The OCR has recorded at least 12 additional breaches of unsecured protected health information involving paper or film already in 2016.
Patients involved in both the Florida and Ohio cases have been notified of the breaches, and both organizations are taking steps to prevent future mishandling of paper records, such as reducing the instances in which paper records are kept and educating outside partners on proper disposal techniques.
Attend one of our free weekly webinars for more information on how to effectively safeguard all forms of PHI.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.