Why the feds are upping the ante by looking at small breaches
The Office for Civil Rights (OCR) at the Department of Health and Human Services is clearly becoming dispirited and fed up with the number of data breaches in the healthcare industry.
This sentiment is made apparent by OCR’s announcement on August 18 that it, through its regional offices, will more aggressively investigate and pursue the so-called “small” breaches, which are those that impact fewer than 500 individuals.
In the announcement, OCR indicates that it wants to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” Interestingly, the agency suggests that it wants to find “entity and systemic noncompliance” related to the reported breaches.
Trying to read between the lines, the statements suggest that OCR believes there are fundamental issues regarding HIPAA compliance among entities. If that assessment is true, then it provides a clear understanding and basis for the new announcement and encouragement to more fully investigate the small breaches.
When evaluating a small breach, OCR will consider the following elements:
- The size of the breach
- Theft of or disposal of unencrypted PHI
- Breaches that involved unwanted intrusions to IT systems
- The amount, nature and sensitivity of the PHI involved
- Instance in which numerous breach reports from a particular entity raise similar issues
Breaking down the elements, some are similar to what goes into breach risk assessment when trying to determine whether there is a low probability of compromise. However, a couple of the elements reflect growing concerns from recent breach settlements.
The first such element is theft or disposal involving unencrypted PHI. All too often, a thumb drive, laptop or other mobile device that is not encrypted leads to the exposure of PHI. Given the relative ease with which devices can be encrypted and the amount of attention being focused on encryption, it is clear why OCR has concerns.
Accordingly, activity on the encryption front needs to change. From OCR’s perspective, in the absence of a change in the regulations, it can encourage implementation of the addressable encryption by hitting entities in their pocketbooks. After all of the previous settlements and new stories focusing on the lack of encryption, this may be the last warning before money will be owed.
The second element of interest is the focus on breaches involving unwanted intrusions, such as hacking or ransomware attacks. It is no secret that the healthcare industry is widely viewed as very vulnerable and ripe for the picking among cybercriminals. The frequency and scope of attacks demonstrates this reality.
Despite the open season on healthcare, it is unclear what actions have been taken to step up security. One the one hand, cybercriminals will always be ahead of the defensive measures that entities can put into place. However, that does not mean entities cannot take proactive measures, and it’s the basis of those measures, at least from OCR’s perspective, that is an outworking of the comprehensive risk analysis called for by HIPAA.
The risk analysis guides entities in determining all risks and vulnerabilities as well as the likelihood of a breach occurring from each of those risks and vulnerabilities. If entities honestly analyze operations, then arguably entities would be able to close some of the windows that cyberattacker come in through.
Cyberthreats will not be going away any time soon, and unless entities want to avoid the double harm of suffering both an attack and imposition of a penalty from OCR, then entities would be well advised to focus on cybersecurity.
Moving beyond the elements of what OCR will investigate with regard to small breaches, the practical impact of these investigations should also be examined. Curiously, the announcement follows earlier criticisms that OCR was not doing enough to openly address breaches affecting a small number of individuals. The reports faulted the private nature of resolutions as denying “victims” an understanding of how their harm was remedied and potentially not doing enough to demonstrate to entities that there are consequences to not complying with HIPAA.
If the new policy is a response to those reports, entities should be wary of what is to come. The recent spate of settlements suggests that OCR is done playing around and is out to make a point.
Ultimately, one of the major points about the announcement is that privacy and security are essential to trust and the advancement of digital healthcare. Any breach, whether one person or millions, impacts real people. Those individuals may feel betrayed or worried about what will come. If that message is reinforced and a human side to the breaches can be pushed to the fore, then maybe more visible action will occur when it comes to protecting and securing healthcare information.
No matter how many fines or public settlements are issued by OCR, it is up to each covered entity, business associate and subcontractor handling protected health information to take the necessary steps every day to ensure privacy and security. Compliance with HIPAA is not easy and requires ongoing effort that may not result in obvious results. However, when information remains private and secure, then everyone will be satisfied.