Over the years since HIPAA went into effect, the healthcare industry has witnessed an increasing number of breaches of protected health information (PHI). When the HITECH act was signed in 2009, a breach notification requirement was added. The HITECH Act has since been updated by the Omnibus final rule relating to the guidelines for determining what is a reportable breach and what is not.
The magic number for determining if a healthcare organization is added to the Federal Health and Human Services (HHS) website, aka “the wall of shame” relating to a reportable breach, remains 500 individual patients. In other words, any breach that includes more than 500 patients located in one state requires notifications to: HHS, local media and a notice must be placed on the healthcare organization’s website. Notifications must be sent to the individuals involved in the breach, along with other requirements. The potential for penalties, lawsuits and reputational harm results in major impact to the healthcare organization and /or business associate affected by the breach.
Back in the early days of HIPAA, the biggest risk of a breach was always thought to be from the internal workforce. For that reason, workforce training was seen as a major way to try to control risk. However, what we have all observed over the past six (6) years tells us that the kinds of breaches that cause the biggest impact are electronic, both accidental and intentional. We believe that the magic number of 500 was set because the initial numbers were lower and it seemed to be a reasonable metric for determining induction onto the wall of shame. The size of some recent breaches, especially the ones that are a result of cyber attacks, makes the 500 number seem small in relation.
If you take the time to browse the wall of shame on the HHS website, you see that theft or loss of portable devices, such as laptops, has been the most common cause for electronic breaches. It is important to note that it is normally the timeframe between the introduction of new technologies and the resulting risk mitigating controls when vulnerabilities can be threatened and breaches can occur. It is therefore important to assess new technologies such as portable devices before deployment in order to determine policy and manage risk.
For that reason, organizational governance, risk analysis and management, change management, and workforce education must be in place and must be functional. Since new technologies are always being introduced, the process to control the potential risks must be a continuous one that never ends. Information privacy and security budgets must address both human and technology to get the job done. Budgets have been traditionally insufficient and we believe that has resulted in creating the biggest risk in regards to protecting against unauthorized access to PHI.
The numbers of individuals involved in recent breaches have been huge in relation to the magic number of 500. We all read about breaches involving millions of individuals. Some of the recent cyber attacks have potentially resulted in numbers up to 10 million. Compare that to 500, and you have to wonder if that metric is going to increase, and where will it all end. How big can future breaches become?
Recently we have witnessed daily news of cyber attacks and breaches. This is a major worry that is keeping healthcare leaders awake at night. It has gotten to the point where even diligent organizations have been hit and have made the headlines. The wall of shame is becoming the “common” wall of shame. The shock caused by news of a breach seems to have diminished because there have been so many. But the impact of a major breach will always be huge in regards to not only fines, but also other costs, including harm to the organizations reputation.
We highly recommend that healthcare organizations follow guidelines such as the National Institute of Standards and Technology (NIST) CyberSecurity Framework, other guidelines from NIST and other sources in addition to the standards and implementation specifications of the HIPAA rules. It is recommended that you do not hesitate to hire information privacy and security experts to help your organization perform risk assessments and to implement administrative, physical, technical and organizational controls. The cost of compliance is potentially a fraction of the cost of a large breach. Healthcare now appears to be the number one (1) industry under cyber attacks, which means that the time has come for all covered entities and business associates to have a comprehensive information security program with organized evidence of due diligence.
Gerry Blass is President & CEO of ComplyAssistant and has more than 35 years of experience in healthcare IT and compliance. Blass provides IT and compliance consulting services and software (also called ComplyAssistant) that automate the management and documentation of healthcare compliance activities. To learn more, visit www.complyassistant.com.