HIPAA Privacy Violations…Insider Threat(s)

The website https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf lists all the breach of the unsecured protected health information affecting 500 or more individuals and as reported to the secretary under the federal law. On reading the report there are many privacy violations by insiders, for e.g.



Name of Covered Entity


Covered Entity Type

Individuals Affected

Breach Submission Date

Type of Breach

Location of Breached Information

Business Associate Present


John E. Gonzalez DDS


Healthcare Provider




Other Portable Electronic Device



Autism Home Support Services


Healthcare Provider



Unauthorized Access/Disclosure



Provider organization(s) are over-whelmed with the suspected activities as it is difficult to identify the actions – Is it work related or violating patient privacy.

To meet the compliance challenges (HIPAA, HI-TECH, STATE, FEDERAL) and the cyber security threats many provider organization(s) invest their resources on securing the networks to protect against malicious attacks and from hackers trying to steal protected health information. The firewalls, software/hardware tools are the defenses to keep out the hackers and malicious outsider(s), but what mechanism do we have for the insiders – employees, contractors, etc. Looking at the OCR breach report there are many incidents that occur are the result of inadvertent data breach from within the organization – trusted insiders.

End points in the provider organization – devices, laptops, smart phones are the areas where the employees spend most or significant part of the day. As such, the endpoints are where the breach inadvertently happens.

Many provider organization(s) have HIPAA policies but are loosely enforced. These policies can be misinterpreted to the normal business activities. For e.g.

              Printing patient records for a quality study.

              The patient and I share the same last name and first Initial.

End points is an area where the technology and policies need to be combined to offer a solution.

At MindLeaf (www.mindleaf.com) we have been protecting patient privacy by ensuring the providers have the right procedures, policies and deploying Tool on a SAAS basis to monitor privacy. By deploying SAAS tool with an organization policies and procedures, the privacy monitoring offers the following capabilities:

  • Centrally monitoring all access to patient records.
  • Monitor identity and send alerts to potential privacy violations.
  • Track Incidents and end user workflow.
  • Audit and manage massive volumes of patient access records.
  • Generate reports per state and federal guidelines.
  • Audit the release of medical records.
  • Document and account for all disclosures.
  • Meet MU patient privacy requirements.
  • Manage patient privacy from a Dashboard.
  • Prevent fraud with a pre-built Medical Identify Theft reports.





Paresh K. Shah