Reducing HIPAA Breaches

In a recent discussion with Pharmaceutical Commerce, Faisal Khan, a GRC solutions expert with Vanta, highlights how internal employee error continues to drive nearly half of all HIPAA-related data incidents. According to Khan, most of these breaches stem from fundamental lapses in access control and data management—specifically, employees having broader data access than their roles require. Without strict adherence to the principles of least privilege and role-based access control, sensitive patient health information (PHI) can easily be exposed, misused, or mishandled.

Khan explained that excessive access privileges often create a “trickle effect” across operations, leading to unintentional errors such as sending PHI to incorrect recipients, storing it in unsecured locations, or using it inappropriately for nonessential functions. These mistakes are not always malicious but are frequently the result of poor oversight, unclear data ownership, and insufficient process documentation.

To address these issues proactively, Khan recommended that healthcare and life sciences organizations map their data flows in detail—identifying how sensitive information moves within and beyond their systems. This process should include documenting the to’s, from’s, and how’s of data transfers to reveal vulnerabilities or inefficiencies in how PHI is handled.

Once these flows are understood, organizations can establish comprehensive asset and data inventories, helping security teams monitor what information exists, who can access it, and how it’s used. With these insights, leaders can implement targeted access controls, correct overly permissive roles, and reinforce policies for data storage and sharing.

Ultimately, Khan emphasized that protecting PHI requires more than compliance checkboxes—it demands a continuous, structured approach to data visibility and accountability. By aligning access control and data management with operational needs, organizations can meaningfully reduce risk while maintaining compliance with evolving HIPAA standards.

He also dives into the threat that third-party noncompliance poses to healthcare data security; best practices to close the perception gap of leaders feeling confident in vendor compliance despite limited oversight; and much more.

A transcript of his conversation with PC can be found below.

PC: A survey from Vanta shows that internal employee error accounts for nearly half of HIPAA-related incidents. What are the most common mistakes, and how can organizations address them proactively?

Khan: Some of the most common mistakes I'd call out are rooted in access control and data management domains as a whole. And really breaking those down from an access perspective, sometimes personnel really just have higher access to data—especially health data—that their role requires them to where the whole concepts of least privilege and role-based access control, they're just not properly implemented.

With that, there’s that trickle effect to mishandling a PHI accordingly as well, not only because they have broader access and more permissive roles than usual, but also mistakes in where and how the data is sent or stored or might be utilized for their operations. And with that, I'd say that to address both of those aspects proactively and just reduce that risk overall, organizations to really take a step back and be very prescriptive and understanding and mapping their data flows, especially those that are related to their sensitive data, including PHI.

Once you have those data flows, you understand where things are going, then to’s, the from’s, and the how’s. You create asset and data inventories to track where the data should be going, so that you can then create those appropriate access control and data handling practices around them, where the access and the use of the data likely varies quite a bit. It might be okay, but in some cases, you may identify that it's not, and you need to make sure you have corrections in place for it.