Resource Library

The healthcare industry experiences more data breaches (confirmed data disclosure) than any other industry in the United States, accounting for more than 24% of all breaches.¹ In 2017, healthcare data breaches compromised more than 5 million healthcare records² and cost providers an average of $380 per record — more than any other industry and 69% greater than the overall average.

A data breach doesn’t need to be criminal or intentional to be reportable. When a storage device is small, it is sometimes difficult to determine whether the device was lost, misplaced or stolen. However, even if a flash drive is presumably lost, a breach analysis must still be conducted and potentially affected patients must be notified if there is a probability of data compromise.

A review of the data on the OCR Breach Portal indicates that only about 20 percent of healthcare data breaches through 2017 are the result of hacking, but they involve large numbers of records.¹ Unfortunately, the healthcare industry also has more data breaches than any other industry.² There are various reasons for this. We describe some of those here and offer recommendations for preventing HIPAA data breaches caused by criminal hackers.

Patients have a right to expect that their private medical information will be kept confidential. In this interaction, a physician was ultimately responsible for a confidentiality breach — an ethically and legally inappropriate action.

Under HIPAA, a subpoena that is not accompanied by an order from a court or administrative agency does not allow the clinic to release medical records unless certain conditions are met.

There are three primary sets of conditions that allow a Clinic to release medical records in response to a subpoena, which we discuss in this article.