The Rising Tide of Small Scale Privacy Breaches

Although small privacy breaches affecting less than 500 patients per incident are not usually broadcast as widely as large scale cyberattacks, they can be just as detrimental to healthcare organizations. These small breaches can be as simple as a patient’s protected health information (PHI) mistakenly going to the wrong person.

The financial impact of small breaches is real. According to the American National Standards Institute, each breach can cost anywhere from $8,000 to $300,000, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, with a maximum of $1.5 million annually for repeated occurrences. But it is not just the monetary aspect that makes breaches so costly; the loss of brand value is a major threat as well.

Since 2009, more than 180,000 small breaches have been reported to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), compared with just 1,700 breaches involving more than 500 patients. While large scale breaches caused by hacking pose an obvious threat, smaller breaches are not to be taken lightly.

In fact, there is a heightened awareness of small breaches across the healthcare industry. The OCR launched a new initiative in August 2016 aimed at increasing the investigative and enforcement authority of its regional offices. This initiative allows regional offices to prioritize which breaches to investigate and how to allocate resources based on the size of the breach, the theft or improper disposal of unencrypted PHI, the amount, nature and sensitivity of the PHI involved, and other considerations.

According to the OCR, this initiative will help “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” Regional offices will look for patterns and series of breaches in order to quell their increasing frequency.

The Risky Business of Release of Information

MRO’s research shows there are as many as 40 disclosure points across individual health systems. Most of these disclosure points tend to be managed outside the health Information management (HIM) department by individuals not trained in release of information (ROI) and PHI disclosure management. This trend of expanding disclosure points is one of the key factors driving breach risk in the ROI process.

Another key factor driving risk involves gaps in the quality assurance (QA) processes. Research shows that approximately 30 percent of all ROI authorizations are initially invalid, and up to 10 percent of these invalid authorizations are processed with errors if ROI workflows lack redundant QA checks. Moreover, some five percent of patient data in electronic medical records (EMRs) have integrity issues, including comingled patient records. Without proper QA measures in place, 0.7 percent of records released will contain mixed patient data, which means an organization releasing 100,000 requests annually could potentially release 700 comingled records.

The increasingly complex regulations and compliance requirements for sharing PHI constitute another factor in the growing number of small breaches caused by improper disclosure. According to a 2015 Ponemon Institute survey, 40 percent of breaches are caused by unintentional employee actions, which lead to improper disclosures.

Filling the Gaps in ROI Workflow to Minimize Breach Risk

Deploying an enterprise-wide strategy for PHI disclosure management standardizes policies and procedures, as well as technologies, across a health system. Having a streamlined ROI workflow as part of that strategy helps eliminate inefficiencies, distractions and errors.

Additionally, redundant QA checks are vital for disclosure accuracy. Providing a “second set of eyes” on all authorizations and PHI before release will help reduce improper disclosures. These additional quality checks should come from a combination of trained ROI specialists and record integrity technology that uses optical character recognition to locate and correct comingled records. This combination of people and technology will drive improved accuracy and minimize breach risk.

ensure that their current policies and procedures align with the law. 


Michael Rosen, Esq.

Michael Rosen brings more than 20 years of experience in founding and leading service-oriented businesses. He co-founded Background America, Inc., which was acquired by Kroll Inc. He was promoted to president of the Background Screening Division, which employed 1,000 people in seven countries. He is now the co-founder of ProviderTrust, Inc. a national healthcare compliance service that helps facilities stay in compliance. He has received numerous accolades, including the Inc. Magazine 500 Award, Nashville Chamber of Commerce Small Business of the Year award, and the Music City Future 50 Award.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Mastering Good Faith Estimates Under the No Surprises Act: Compliance and Best Practices

Mastering Good Faith Estimates Under the No Surprises Act: Compliance and Best Practices

The No Surprises Act (NSA) presents a challenge for hospitals and providers who must provide Good Faith Estimates (GFEs) for all schedulable services for self-pay and uninsured patients. Compliance is necessary, but few hospitals have been able to fully comply with the requirements despite being a year into the NSA. This webcast provides an overview of the NSA/GFE policy, its impact, and a step-by-step process to adhere to the requirements and avoid non-compliance penalties.

Mastering E&M Guidelines: Empowering Providers for Accurate Service Documentation and Scenario Understanding in 2023

Mastering E&M Guidelines: Empowering Providers for Accurate Service Documentation and Scenario Understanding in 2023

This expert-guided webcast will showcase tips for providers to ensure appropriate capture of the work performed for a visit. Comprehensive examples will be given that demonstrate documentation gaps and how to educate providers on the documentation necessary to appropriately assign a level of service. You will gain clarification on answers regarding emergency department and urgent care coding circumstances as well as a review of how/when it is appropriate to code for E&M in radiology and more.

June 21, 2023
Breaking Down the Proposed IPPS Rule for FY 2024: Top Impacts You Need to Know

Breaking Down the Proposed IPPS Rule for FY 2024: Top Impacts You Need to Know

Set yourself up for financial and compliance success with expert guidance that breaks down the impactful changes including MS-DRG methodology, surgical hierarchy updates, and many new technology add-on payments (NTAPs). Identify areas of potential challenge ahead of time and master solutions for all 2024 Proposed IPPS changes.

May 24, 2023

Trending News