For years, health care providers have worked hard to comply with the HIPAA Security Rule that requires implementation of administrative, technical, and physical safeguards to secure protected health information (PHI).  This recent study by Jorge Rey and Tyler Quinn at Kaufman, Rossin & Co. analyzes data breaches reported to the U.S. Department of Health and Human services between January 1, 2010, and December 31, 2011, in an effort to help health care providers and their vendors (business associates) develop more effective risk assessments.

What Caused PHI Data Breaches?

The study showed that theft comprised approximately 53% of data breaches, other “unauthorized access” caused approximately 20% of data breaches, loss of data caused approximately 15% of data breaches, while hacking and improper disposal of information comprised a very small number of data breaches (6% each).

Where Was The PHI Compromised?

The study further found that laptops, paper, and “other” media (portable electronic devices, backup tapes, CD’s, and X-ray films) were evenly split as locations of data breaches, with approximately 25% each.  Desktop computers and servers were the next most likely location for PHI breaches (approximately 10% to 15%), while email (approximately 2%) and electronic medical records (1%) were the least frequently breached locations of PHI.  The “other” category grew dramatically from 2010 to 2011, signifying the increased use of portable electronic devices among health care providers.


The study found that, overall, reported data breaches of PHI declined from 2010 to 2011, indicating that “[c]overed entities and business associates seem to have a better understanding of where e-PHI resides, and many have implemented safeguards to protect it.”  The bad news, however, is that the number of individuals whose PHI was compromised nearly doubled from 2010 to 2011.  Importantly, one of every five breaches occurred at or due to a business associate, indicating that health care providers need to do more to assess and monitor their vendors’ security weaknesses.

The study ends with a very helpful “Risk Score Tool” or checklist to help health care providers measure whether they are implementing effective safeguards for the PHI they collect and maintain.  I highly recommend this study to anyone in the health care industry who is interested in security and privacy issues that arise from the collection, storage, and use of PHI.


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.