Although small privacy breaches affecting less than 500 patients per incident are not usually broadcast as widely as large scale cyberattacks, they can be just as detrimental to healthcare organizations. These small breaches can be as simple as a patient’s protected health information (PHI) mistakenly going to the wrong person.
The financial impact of small breaches is real. According to the American National Standards Institute, each breach can cost anywhere from $8,000 to $300,000, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, with a maximum of $1.5 million annually for repeated occurrences. But it is not just the monetary aspect that makes breaches so costly; the loss of brand value is a major threat as well.
Since 2009, more than 180,000 small breaches have been reported to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), compared with just 1,700 breaches involving more than 500 patients. While large scale breaches caused by hacking pose an obvious threat, smaller breaches are not to be taken lightly.
In fact, there is a heightened awareness of small breaches across the healthcare industry. The OCR launched a new initiative in August 2016 aimed at increasing the investigative and enforcement authority of its regional offices. This initiative allows regional offices to prioritize which breaches to investigate and how to allocate resources based on the size of the breach, the theft or improper disposal of unencrypted PHI, the amount, nature and sensitivity of the PHI involved, and other considerations.
According to the OCR, this initiative will help “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” Regional offices will look for patterns and series of breaches in order to quell their increasing frequency.
The Risky Business of Release of Information
MRO’s research shows there are as many as 40 disclosure points across individual health systems. Most of these disclosure points tend to be managed outside the health Information management (HIM) department by individuals not trained in release of information (ROI) and PHI disclosure management. This trend of expanding disclosure points is one of the key factors driving breach risk in the ROI process.
Another key factor driving risk involves gaps in the quality assurance (QA) processes. Research shows that approximately 30 percent of all ROI authorizations are initially invalid, and up to 10 percent of these invalid authorizations are processed with errors if ROI workflows lack redundant QA checks. Moreover, some five percent of patient data in electronic medical records (EMRs) have integrity issues, including comingled patient records. Without proper QA measures in place, 0.7 percent of records released will contain mixed patient data, which means an organization releasing 100,000 requests annually could potentially release 700 comingled records.
The increasingly complex regulations and compliance requirements for sharing PHI constitute another factor in the growing number of small breaches caused by improper disclosure. According to a 2015 Ponemon Institute survey, 40 percent of breaches are caused by unintentional employee actions, which lead to improper disclosures.
Filling the Gaps in ROI Workflow to Minimize Breach Risk
Deploying an enterprise-wide strategy for PHI disclosure management standardizes policies and procedures, as well as technologies, across a health system. Having a streamlined ROI workflow as part of that strategy helps eliminate inefficiencies, distractions and errors.
Additionally, redundant QA checks are vital for disclosure accuracy. Providing a “second set of eyes” on all authorizations and PHI before release will help reduce improper disclosures. These additional quality checks should come from a combination of trained ROI specialists and record integrity technology that uses optical character recognition to locate and correct comingled records. This combination of people and technology will drive improved accuracy and minimize breach risk.
ensure that their current policies and procedures align with the law.
Editors Note: This article was originally published on ICD10monitor, April 15, 2025 In a sweeping policy shift, the Centers for Medicare & Medicaid Services (CMS)
In just days, the U.S. Department of Health and Human Services (HHS) may begin eliminating regulations it deems unlawful or beyond its authority – that
Please log in to your account to comment on this article.
Struggling with ICD-10-CM coding for diabetes and complications? This expert-led webcast clarifies complex combination codes, documentation gaps, and sequencing rules to reduce denials and ensure compliance. Dr. Angela Comfort will provide actionable strategies to accurately link diabetes to complications, improve provider documentation, and optimize reimbursement—helping coders, CDI specialists, and HIM leaders minimize audit risks and strengthen revenue integrity. Don’t miss this chance to master diabetes coding with real-world case studies, key takeaways, and live Q&A!
Uncover critical guidance. Kay Piper provides an interactive review on coding guidelines and more in the AHA’s fourth quarter 2025 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Uncover critical guidance. Kay Piper provides an interactive review on coding guidelines and more in the AHA’s third quarter 2025 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Uncover critical guidance. Kay Piper provides an interactive review on coding guidelines and more in the AHA’s second quarter 2025 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Providers face increasing Medicare audits when using skin substitute grafts, leaving many unprepared for claim denials and financial liabilities. Join veteran healthcare attorney Andrew B. Wachler, Esq., in this essential webcast and master the Medicare audit process, learn best practices for compliant billing and documentation, and mitigate fraud and abuse risks. With actionable insights and a live Q&A session, you’ll gain the tools to defend your practice and ensure compliance in this rapidly evolving landscape.
Dr. Ronald Hirsch dives into the basics of Medicare for clinicians to be successful as utilization review professionals. He’ll break down what Medicare does and doesn’t pay for, what services it provides and how hospitals get paid for providing those services – including both inpatient and outpatient. Learn how claims are prepared and how much patients must pay for their care. By attending our webcast, you will gain a new understanding of these issues and be better equipped to talk to patients, to their medical staff, and to their administrative team.
Hospitals face growing challenges in measuring observation metrics due to inconsistencies in classification, payer policies, and benchmarking practices. Join Tiffany Ferguson, LMSW, CMAC, ACM, and Anuja Mohla, DO, FACP, MBA, ACPA-C, CHCQM-PHYADV as they provide critical insights into refining observation metrics. This webcast will address key issues affecting observation data integrity and offer strategies for improving consistency in reporting. You will learn how to define meaningful metrics, clarify commonly misinterpreted terms, and apply best practices for benchmarking, and gain actionable strategies to enhance observation data reliability, mitigate financial risk, and drive better decision-making.
The 2025 Medicare Physician Fee Schedule brings significant changes to payment rates, coverage, and coding for physician services, impacting practices nationwide. Join Stanley Nachimson, MS., as he provides a comprehensive guide to understanding these updates, offering actionable insights on new Medicare-covered services, revised coding rules, and payment policies effective January 1. Learn how to adapt your practices to maintain compliance, maximize reimbursement, and plan for revenue in 2025. Whether you’re a physician, coder, or financial staff member, this session equips you with the tools to navigate Medicare’s evolving requirements confidently and efficiently.
Copyright © 2025 ICD10monitor. Powered by MedLearn Media.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
