Proper Transportation of PHI and ePHI
In this lesson, we're going to show you how NOT to transport PHI (aka: explain a little more about common sense). And at the end of the lesson, we're going to take a look at healthcare data breach statistics, which clearly show why lessons like this are important.
You probably recall from the corresponding video for this lesson, that nurse Joy decided to go into a grocery store and leave patient records, along with her computer, in plain sight …. and with her windows down and her doors presumably unlocked.
It probably wasn't much of a shock to you when someone came along and took it all easily right through her open window. This is poor security! Nurse Joy didn't properly secure the PHI, ePHI, or even her computer.
You could use this example when training your staff about properly securing PHI. And while this all may seem a bit too much like an abuse of common sense, there have no doubt been numerous real-life incidents just like this, only with better acting.
Quiz: What should nurse Joy have done differently?
a) Rolled up her windows
b) Locked her car doors
c) Placed the PHI and her computer out of sight
d) All of the above
If you chose D, you are correct!
If you need to transport medical records or mobile devices that contain PHI, make sure to do all of the above to keep it secure. However, just taking PHI off-premises could also be a no-no, and therefore must be documented in your policies and procedures, along with secure means of transporting personal health information if it is allowed.
A Word About Healthcare Data Breach Statistics
Healthcare data breach statistics clearly show that there has been an upward trend in data breaches over the past nine years, with 2018 seeing more data breaches reported than any other year since records first started being published in 2009.
Warning: The prevalence of this problem is a bit shocking.
Between 2009 and 2018 there have been 2546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States.
Healthcare data breaches are now being reported at a rate of more than one per day.
There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. This was far and away the worst year in history for breached healthcare records with more than 113.27 million records exposed. The best year was 2012, with just 2,808,042 healthcare records exposed.
The good news is that the situation has improved since 2015 with successive decreases in the number of exposed records. Although that trend did not continue in 2018. The number of exposed records more than doubled from 5,138,179 records in 2017 to 13,236,569 records in 2018. However, that is still far lower than those outrageous 2015 statistics.
The Largest Healthcare Data Breaches
To understand how enormous this problem is, let's look at the three largest healthcare breaches to date, all of which occurred in 2015. All three were caused by a hacking or IT incident. And all three covered entities involved were health plans.
| 1. | Anthem Inc. | 78,800,000 individuals affected |
| 2. | Premera Blue Cross | 11,000,000 individuals affected |
| 3. | Excellus Health Plan Inc. | 10,000,000 individuals affected |
That's three incidents affecting 100 million people, or roughly 30 percent of the U.S. population. And all three occurring in the same year.
Hacking is the Leading Cause
Data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents.
The low hacking/IT incidents in earlier years could be partially due to the failure to detect hacking incidents and malware infections quickly. Many of the hacking incidents between 2014 and 2018 occurred many months, and in some cases years, before they were detected.
Hacking isn't the Only Cause
As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are not far behind.
Healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption. Although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.
Yes, the video example for this lesson seems extraordinarily laughable, and yet, this actually happens. Just because you have more sense than that, it would be unwise to assume all the employees in your business or organization share that uncommon sense. Which is why lessons like this still must exist.