With the unprecedented growth in the provision of telehealth services comes the possibility of incurring a data breach. Large or small, they can be exceedingly difficult for practitioners to deal with. Whether it’s a malicious ransomware attack or an employee who misplaces a thumb drive with protected healthcare information (PHI) on it, HIPAA requires these breaches, large or small, to be reported to the Department of Health & Services Office for Civil Rights (OCR). These reports appear on the HIPAA Wall of Shame.
What is the HIPAA Wall of Shame?
The HIPAA Wall of Shame is a HIPAA breach reporting tool created under the HIPAA Breach Notification Rule and the HITECH Act in 2009. Maintained by the OCR, the database lists all organizations with health care data breaches in the last 24 months that affected more than 500 individuals. The information reported includes the organization’s name, state, type of covered entity, the number of people affected, when the breach was reported, and the breached information format, for example, email, paper, etc. In 2017, it was redesigned to allow users to search archived breaches and those under current investigation (see HIPAA Breach Reporting Tool for “Wall of Shame”).
Types of HIPAA Breaches
The HIPAA Breach Notification Rule separates breaches into two categories:
- Minor breach: breaches of protected health information that affect fewer than 500 individuals. Individuals must be notified of the breach within 60 days of the discovery of the breach. All minor breaches that have occurred over the course of the year must be reported to the OCR no later than 60 days after the end of the calendar year.
- Meaningful breach: any breach that affects more than 500 individuals. Such breaches must be reported to the OCR immediately, within 60 days of the discovery of the breach. The breach must be reported to local media, and individuals must be notified within 30 days of discovering the breach.
How the HIPAA Wall of Shame Can be Helpful to Practitioners
By researching The HIPAA Wall of Shame, administrators and practitioners can educate themselves about the types and locations of various data breaches to determine the level of risk their organization may face. Faculty members and supervisors can develop engaging assignments for their Learners who need to understand HIPAA by having them research specific types of entities, the specific nature of their HIPAA violations, and the disciplinary action taken against them.
A 2018 study published in JAMA Internal Medicine, analyzed 1,138 breaches posted to The Wall of Shame. Interestingly, over half of the breaches were caused by employee mistakes or neglect (53%). Examples of a company’s internal HIPAA breaches were mistakes handling emails containing PHI and employees accessing PHI without authorization. Interestingly, only 32.5% of the breaches were caused by theft from outside the organization.
A more recent study (2020) by the Department of Health & Human Services (HHS) data reported that occurring breaches during 2010–19 (>500 records) paint a dark picture for the future.
- After eight years of seeing an average year-over-year increase in the number of reported breaches of 7%, in 2019, the number of breaches grew by 36% (total of 506 breach events)
- Healthcare providers showed the largest increase of 42%, which now accounts for 78% of reported breaches.
- In addition, the second-highest number of breached records occurred in 2019 (41 million)
- After 10 years of HHS reporting, 3,060 breaches have been reported (>500 records; smaller breaches are to be reported annually but are not published)
- More than 237 million patient records have been compromised.
Even with the transparency provided by the Health and Human Services’ “Wall of Shame,” the healthcare industry is failing in its duty to “do no harm” when managing client and patient records. last but not least, the evil-doers, the bad guys are improving their skills more and more quickly.
- See the current HIPAA Wall Of Shame here.
Cyber Attack Protection
Today’s telehealth providers, whether sole proprietors or organizations, need to be alert for cyber threats. Practitioners need to protect themselves with a HIPAA compliance program and provide employees with cybersecurity training to avoid ending up on The Wall of Shame or being taken to court (see Telebehavioral Health-Related Court Cases).
With discretionary enforcement of HIPAA since March of 2020 due to the COVID pandemic, the state of affairs with HIPAA compliance is only getting more dismal. Reports of hacking are published daily.
- If the reader has not yet taken professional training in how to maintain compliance with HIPAA requirements during COVID, this free TBHI COVID-19 Telehealth Best Practices training is available with 1 CME or CE hour or without the CME or CE hour for FREE.
- For readers who want to educate themselves or their staff with regard to HIPAA and other legal requirements but make the training convenient and actually interesting, consider the TBHI Basic Telehealth Legal Issues: Rules, Regulations & Risk Management digital, on-demand training, which also comes with 3 CME or CE hours at no additional cost.
- Where We Are on the Cybersecurity Journey
- Greenbone Networks GmbH. Information Security Report: Unprotected patient data on the Internet—a review 60 days later, or The Good, the Bad, and the Ugly
- Warner.senate.gov. Warner Seeks Answers in Light of Negligent Cybersecurity Practices by Health Care Company
- Greenbone Networks GmbH. The (hi)story of a data leak
- Department of Health & Human Services. Breach Notification Rule
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Whether you are practicing telemedicine, telehealth, or teletherapy, this course is essential to understanding the how and why of legal telepractice today. Must-know definitions, concepts, and their applications to common telepractice situations are offered to identify common dilemmas and their solutions. Relevant rules, regulations, and risk management strategies are put in context so you understand how regulatory systems are wired, and to give you a sense of where to go to ask which question. For example, differences between clinical guidelines security guidelines are explained so that you can attend to each as needed. Key telehealth issues are reviewed, including inter-jurisdictional practice; psychotherapy note-taking; email; text-messaging, security and privacy laws (HIPAA, PIPEDA, other privacy laws for vulnerable populations such as children); testimonials; and considerations for purchasing malpractice insurance. How and when to hire an attorney for your telepractice is also reviewed in detail.