Breaches at Hospitals Are Rampant: Survey42% have 10 or more incidents a year
The survey also found that 84 percent of U.S. hospitals have at least one data breach incident a year, up from 63 percent in the year-old study. The new survey of compliance officers at hospitals was conducted between March 30 and April 13.
One key way to help prevent breaches and identity theft is to provide extensive staff training, says Steven Bearak, CEO of Identity Force. The Framingham, Mass.-based company conducted the e-mail survey in collaboration with the American Hospital Association, which transmitted it to all of its almost 5,000 members.
"The single most important thing is creating a breach-free culture," Bearak says. That involves conducting risk assessments, training staff on how to prevent breaches and tracking incidents.
Lack of training
The survey found that 38 percent of hospitals either do not have a training program in place on preventing misuse of identification or they have only trained a few employees.
Too many hospitals adopt a breach prevention policy and require employees to read it, but stop short of offering training, Bearak contends. "Relying on policies rather than training is a big problem," he says.
Only 16 percent of hospitals surveyed said they have a plan in breach notification plan in place so they can comply with the HITECH Act.
Although the Act requires business associates to report breaches to hospitals, 61 percent of hospitals surveyed said they do not yet have a formal process for verifying that business associates are ready to comply with the Act. Also, 36 percent said they are certain that some of their business associates are not in compliance.
"These new regulations are complex and confusing," Bearak says. "People are unsure about how they will be enforced." He predicts it could take many months for hospitals to assess risks, devise plans for managing the breach notification process and identify which staff members will investigate breaches.
Bearak urges hospitals to amend their contracts with business associates to spell out expectations for compliance with the HITECH breach notification rule. He points out that in addition to software companies, billing companies and health information exchanges, business associates can include transcription companies, document shredding firms, document imaging companies and other firms that have access to personal health information.
Red Flags rule
Although it's unclear whether the Federal Trade Commission will, once again, delay the June 1 target date for enforcing its Identity Theft Red Flags Rule, hospitals should nevertheless be working toward compliance, Bearak argues. The rule requires hospitals and other healthcare organizations that grant credit to their clients to have formal, written policies and procedures in place to spot the red flags that are signs of identity theft.
Among other survey findings:
- 71 percent of hospitals investigate fewer than 50 cases of possible misuse of identity annually.
- 56 percent believe the new healthcare reform law, designed to help provide insurance coverage to more Americans, will have no impact or will increase medical identity theft.