How to Avoid the HHS Breach Portal (Wall of Shame)
Known to some as the “Wall of Shame” or the HHS Breach Portal, the Health and Human Services page featuring failures to protect Protected Health Information (PHI and ePHI) in a HIPAA-compliant manner is one kind of web publicity no health care provider or organization wants.
1500 HHS Breach Portal Reports (And Counting)
As of the end of April 2016, there were more than 1,500 reports. There are 20 from April 2016 alone.
The HITECH Act requires breaches of unsecured protected health information affecting 500 or more individuals to be posted. Types of breaches include:
- Hacking/IT Incident
- Improper Disposal
- Unauthorized Access/Disclosure
The most common causes of a breach so serious it requires notification to HHS include:
- Theft of desktop computers or network servers
- Theft or loss of laptops or portable electronic devices
- Hacking incidents
Those are the sorts of electronic and device issues you might expect, but there can be non-electronic problems as well (think dumpster-diving as a result of “improper disposal”):
- Failing to properly secure or destroy paper printouts
- Failure to secure or destroy films (x-rays, etc)
Actions To Take To Stay OFF the HHS Breach Portal
This Basic Security Checklist for the Small Healthcare Practice can provide sound advice on how to prevent problems. Many of the “best practices” are obvious (use strong passwords and change them often, use anti-virus protection, use a firewall…) but others involve relatively new issues, and foremost among those is the need to protect mobile devices that either contain ePHI or provide a means of accessing a server or EMR. Laptops are easy to lose, smartphones even more so.
The My Docs Online HIPAA page tells you what we do to protect ePHI, and includes guidelines for the correct use of My Docs Online by medical professionals.
Remember, the HIPAA Security Rule is not just about computers and networks. The rule specifies a series of administrative, and physical, as well as technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.