Blog Feature
Kesha Boykin-McLean

By: Kesha Boykin-McLean on July 1st, 2014

Print/Save as PDF

"Lessons Learned" from Office of Civil Rights

Patient Safety | Compliance | Data

"Those who do not learn history are doomed to repeat it." And we're not talking about grade school. Having a bit of perspective on the flubs and flops experienced by other businesses can help you create a strategy for avoiding those same mistakes.

The Department of Health and Human Services Office for Civil Rights (OCR) has published “Lessons Learned” from data breach reports for 2011 and 2012, and this bit of history is eye-opening.

The report revealed three leading causes for data breaches:

  1. Theft — Someone manages to get their hands on an electronic device, such as a laptop or an iPhone, or on papers containing protected health information (PHI)

  2. Unauthorized access — An unsecured network or facility leaves a big opening for unscrupulous types

  3. Loss — A careless employee loses a thumb drive or a paper folder containing PHI

Incidentally, hacking and incidents of tampering or infiltration network servers and equipment resulted in fewer reports than these three categories, but it affected the largest numbers of individuals overall.

HIPAA security issues can have a high cost in more ways than one. They can damage your facility’s reputation, for starts. But for bottom-line thinkers, these issues can result in millions of settlement dollars.

According to the report, here's what you should focus on:

  1. Risk Analysis and Risk Management —Monitoring and auditing should be ongoing

  2. Security Evaluation — Test early and test often

  3. Security and Control of Portable Electronic Devices — PHI should be stored and transported on electronic devices that properly safeguarded through encryption

  4. Proper disposal of PHI in all forms — Be certain that electronic devices are wiped clean, papers are cross-cut shredded, etc.

  5. Physical Access Controls — You should always know — and control — who has access to what

  6. Training- — Employees must be continuously trained regarding privacy and security policies and procedures

How does your facility stack up? How are you mitigating IT security risks?


About Kesha Boykin-McLean

As Chief Compliance Officer, Kesha Boykin-Mclean brings over 20 years of experience in healthcare. Prior to joining VCS, Boykin-Mclean held a number of senior-level compliance roles, including managing and developing the compliance program for St. Francis Hospital in Connecticut. She was also the Division Ethics and Compliance Officer for the Hospital Corporation of America’s Gulf Coast Division where she was responsible for oversight of compliance programs for all hospitals within the division. Most recently, she served as an independent healthcare consultant, assisting hospitals with the planning and implementation of compliance programs.