When talking HIPAA privacy and security, the numbers do most of the talking. 

 

Take 29.3 million, for instance, the number of patient health records compromised in a HIPAA data breach since 2009, or 138 percent, the percent jump in the number of health records breached just from 2012. 

 

These numbers, compiled in a February 2014 breach report by healthcare IT security firm Redspin, though, don't tell the whole story, as these are numbers reported to the U.S. Department of Health and Human Services by HIPAA covered entities.

 

[See also: At $1.2M photocopy breach proves costly.]

 

Many healthcare breaches still go unreported, industry officials point out, and many breach offenders don't make the list of shame. Moreover, breaches involving the health records of fewer than 500 individuals are not required to be publicly reported, which also skews the final numbers. 

 

Lisa Gallagher, senior director of privacy and security for HIMSS, said speaking at the 2012 Boston Privacy and Security Forum, that somewhere between 40 million to 45 million patient records have actually been compromised. The number can't be confirmed, as the data isn't all there, she adds, but it's a more accurate number based on healthcare organizations' reporting.

 

Moreover, out of the 90,000 complaints HHS' Office for Civil Rights received in 2013, some 5,447 went unresolved. Although the office boasts a 94 percent success rate for resolving cases, some 53,000 of those cases may have been closed because either OCR lacked jurisdiction, or the complaint was untimely or withdrawn, not because a HIPAA violation did not occur.

 

Theft accounted for 83 percent of all large HIPAA privacy and security breaches, according to Redspin, which calculated its numbers using HHS data. Some 22 percent of breaches since 2009 were due to unauthorized access, and theft or loss of encrypted devices or computers accounted for 35 percent of all breaches; hacking accounted for 6 percent. 

 

[See also: Ready or not: HIPAA gets tougher today.]

 

Many of these breaches, officials say, can be easily avoided through regular risk analysis and updating company policies. "By combining device scanning with an understanding of workflow, policies, and procedures, you get a more complete picture of what is actually happening in your environment, Redspin officials wrote in the report. "From there you can implement a remediation plan that significantly lowers your risk of breach." 

 

Redspin officials also noted that from 2009 through 2012, business associates were involved in the majority of large-scale breaches. However, in 2013, BAs were only involved in 10 percent of breaches. 

 

Under the new HIPAA Final Omnibus Rule, covered entities and business associates responsible for violating HIPAA privacy and security rules by failing to safeguard patient protected health information could face a potential up to $1.5 million in annual fines. 

 

Out of the more than 90,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.

 

When speaking with Healthcare IT News on the new HIPAA rules back in August, HHS' Office for Civil Rights Director Leon Rodriguez said those numbers are expected to go up, especially when the official audit program goes live this year. 

 

"I think all these (17) cases really powerfully articulate those expectations and the fact that we will be holding people accountable," Rodriguez said.

 

[See also: Behemoth breach sounds alarm for 4M.]

 

When asked where HIPAA-covered entities most often make their biggest misstep, Rodriguez pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis," he said.

 

Based on the complaints OCR has received, risk analysis failures top the list for the biggest security issues.