The HIPAA breach notification rule came into effect in September 2009. According to federal authorities, in these four years, the ‘Wall of Shame’ has seen 674 major breaches that affected a total of 27 million individuals. Although the Department of Health and Human Services’ Office for Civil Rights (OCR) has been vigorously carrying out HIPAA enforcement actions across the healthcare industry, breaches continue to take place, each time revealing the same causes and reinforcing the same need for preventive action.
What the Breaches Have Taught Us
Need for Encryption
Time and again, breach incidents bring the need for ‘encryption’ to the forefront. A majority of the beaches reported since September 2009 was caused by lost/stolen unencrypted devices, especially laptops. This fact further underscores the value of encryption as a breach preventer. Moreover, the Director of OCR, Leon Rodriguez, is also of the opinion that ‘encrypting’ data is the most risk-avoidant thing that healthcare entities can do, but often entities overestimate the cost and difficulty of encrypting data and consequently avoid encryption.
Need to Monitor Vendor Partners
It has been noted that some of the largest breaches have involved business associates. This accounted for nearly 22% of the total number of breach incidents, highlighting the need for covered entities to ensure that their vendor partners also implement effective security safeguards. This is of utmost relevance now that the HIPAA Omnibus Rule makes business associates and their subcontractors also directly liable for HIPAA compliance.
Need for Effective Security Policies and Practices
20% of the breaches in the last four years involved ‘unauthorized access’ to patient information. So healthcare entities have to direct attention towards how this can be prevented. Monitoring and managing access to health information should therefore be one of the top priorities for covered entities.
While these are some lessons learned from the breach incidents reported so far, the enforcement actions taken by OCR also offer a number of valuable insights.
Lessons to Learn from OCR’s Enforcement Actions
OCR’s enforcement actions have repeatedly highlighted the need for a thorough risk assessment to help uncover vulnerabilities and weaknesses in the system that could potentially lead to bigger issues and pose significant threats. According to Rodriguez, OCR investigations have repeatedly shown that the failure to do a thorough risk analysis has often been the cause behind the lack of encryption on devices that were stolen or lost, resulting in many large reportable breaches. Those entities that failed to do a risk analysis to assess where electronic PHI resides, and to determine vulnerabilities, also failed to do encryption.
The Value of Preventing a Breach
So far, federal investigations of some major breaches have resulted in significantly high monetary settlements such as the one with insurer Wellpoint, where the settlement amount was $1.7 million. In addition to this, the largest enforcement action taken by OCR was against Cignet Health where OCR levied a penalty of $4.3 million for failing to provide patients access to their health information and then failing to cooperate with OCR investigators.
Under HIPAA Omnibus, penalties for each violation can range up to $1.5 million, and according to Rodriguez, OCR is likely to leverage more penalties to fund its permanent audit program that is to begin next year. Taking this into consideration, the primary focus of healthcare entities should be on how to prevent a breach and avoid such expensive incidents.
What’s in store?
Although the number of breaches has shown a decline since the beginning of this year, it is expected that as a result of the HIPAA Omnibus rule, more major breaches will be reported in the coming months. This is because, the Omnibus rule has changed the standards for HIPAA breach notification from assessing whether an incident is likely to result in a significant risk of financial, reputational or other harm, to a more objective assumption that any incident should be reported unless there is a very low probability of data compromise.
Next Steps for Healthcare Entities
With the permanent audit program set to begin in 2014, all healthcare entities should draw a definite plan of action to comply with HIPAA Omnibus, if they are not already compliant, and prepare for the upcoming audits well in advance. Here are a few steps that entities can take to simplify the compliance process:
- Conduct a thorough risk assessment at the earliest
- Encrypt all devices containing electronic health records
- Adopt a comprehensive security solution such as Aegify Security Posture Management or Aegify SecureGRC and leverage its built-in HIPAA Omnibus compliance and security frameworks
- Revisit business associate agreements and ensure they are compliant with HIPAA Omnibus
- Document all security policies, practices, and compliance initiatives.
These steps can help entities steer clear of breach incidents and face HIPAA audits with confidence.