Organizations reporting breaches quicker to fed agencies
The Department of Health and Human Services’ Office for Civil Rights is cracking down on providers that do not report breaches of protected health information in a timely manner.
OCR in March started to fine organizations that do not notify federal agencies of breaches within 60 days as required. The effect has been dramatic—average reporting times for breaches were only 45 days in March and 59 in April, compared with 478 days in February, according to Protenus, a vendor that offers a cloud platform to monitor and protect the security of hospital electronic health records.
“It is difficult to know for sure with limited data, but we might suggest two reasons for this trend of reduced breach reporting time,” says Robert Lord, co-founder and CEO at Protenus. “One potential reason is that starting earlier this year, HHS has arguably stepped up enforcement on healthcare organizations that do not report breaches within the required 60-day window.
“An additional potential reason is that healthcare organizations are becoming more diligent in their analysis and reporting of breaches, as awareness of the importance of reporting grows,” Lord continues. “While these incidents are unfortunate, they can be used as a learning experience to educate other covered entities on best practices.”
The number of days between when a breach occurred and when it was discovered in April ranged from almost immediately to 228 days.
In April, 16 hacking incidents accounted for 47 percent of all breaches. In addition, another 29 percent were caused by insiders; 15 percent involved lost or stolen data and 9 percent by unknown means. The total number of records breached in the April attacks for which Protenus has numbers involves 171,268 patients.
The types of breaches reported last month include providers (79 percent of all incidents), health insurers (5.8 percent), business associates or vendors (5.8 percent) and other (8.8 percent). Data from the monthly Protenus Breach Barometer report comes from DataBreaches.net.