HIPAA Breaches – Have You Conducted Your PHI Vulnerability Assessment?

June 3, 2014   |   Gerry Blass

Get the full JHIM column by clicking here

As of the writing of this column, we are hearing preliminary concerns and we hope that any privacy and security vulnerabilities that exist today at the federal health insurance exchange website will have been addressed by the time this column is published.

The overall concern, however, is the ongoing breaches of PHI and why they are occurring.

Common Reason for Breach

The most common reported reason for breaches of electronic PHI (ePHI) has been lost or stolen unencrypted portable devices and other electronic media. We can easily see that just by looking at the HHS “Wall of Shame.”

Typical portable devices and media include laptops, tablets, flash drives, CDs, external hard drives, smartphones, and more. The keyword is “unencrypted.” If lost or stolen devices are encrypted according to HHS standards, there is no breach.

Willful Neglect

So after four years of breach notifications (required by HITECH Act, the Breach Notification Interim Final Rule and now Omnibus Rule requirement), if a breach event is due to an unencrypted portable device the conclusion is potentially going to be willful neglect and the resulting penalties will then be very costly, as in the millions of dollars for the larger entities and approaching one million dollars for smaller entities.

Add to that the potential for civil action lawsuits, cost of providing free credit report access to the individuals involved in the breach, damage to reputation, potential for additional audits and corrective action plans, and the overall negative impact can be very extensive. And all of the above could simply be due to a copier hard drive or a flash drive.

Breach Examples

The authors are certain that many, if not all of you have read news about breach events. But just in case, here are some examples:

The OCR settled a case with Affinity Health Plan for $1.2 million that involved several photocopiers that they had rented. Affinity surrendered the tools to the owner without erasing the data. The photocopiers were then sold to a national news network and they did a TV expose when they discovered the ePHI.

In the summer of 2013 there was a major problem at a safety net organization about the release of 3,700 individuals’ information in an e-mail. Families and caregivers spoke out after an inadvertent release of ePHI in an e-mail chain.

The OCR settled with the Massachusetts Eye and Ear Infirmary (MEEI) for $1.5 million for the theft of an unencrypted laptop. MEEI also has a corrective action plan in place and had to retain an independent monitor. The information on the laptop included patient prescriptions and clinical information. MEEI previously self-reported this breach.

In 2012 BlueCross and BlueShield of Tennessee settled with OCR for $1.5 million when 57 unencrypted computer hard drives containing PHI of over 1 million individuals had been stolen from a leased facility. This was also a self-reported breach.

Tip of the Iceberg

One of your reporters writes a weekly healthcare information report and can state unequivocally that these reports are only the tip of the iceberg.

When the OCR reports that they are going to do more aggressive enforcement they really mean it. To back this up Leon Rodrigues, OCR Director stated in a September 2013 HIMSS Privacy and Security Forum that if the breach is by a Business Associate, OCR will investigate both the Business Associate and its Covered Entity.

Beyond the Firewall

In today’s world the security perimeter has changed dramatically; it no longer ends at the firewall. And the firewall is now very porous—often with our permission.

Many healthcare entities perimeter is now so far beyond the edge that it is a dim horizon. We may not even be able to predict the edge of the security perimeter as it encompasses cloud storage and use. Do you know where all your cloud vendor(s) severs are?  Do you know if your cloud vendor owns all the servers or do they rent them? Do you know where your ePHI is stored?  Is it stored within the United States boarders or “offshore” where information privacy and security rules may be very different? Are you notified by your cloud vendor(s) when new servers are added and does it include the entity name and country?

Remember when you wanted no openings in your firewall that the IT shop did not approve of and control?  Well, any and all security perimeters now have many, many openings, such as for more and more remote workers, such as portal access for patients and providers, such as mobile tools including laptops, tablets and smart phones that travel with your workforce, such as websites and other social media.

Assess, Assess, Assess

To reduce risk of breach, covered entities and business associates first need to identify where they are vulnerable for breach, evaluate risk and implement a mitigation plan. We call this kind of assessment a “PHI Vulnerability Assessment”. It should include considerations for hardcopy and electronic PHI.

Get started!

To get started make a list of all categories of locations where PHI can exist in your organization. Typical examples are portable devices (list them separately), multi-user workstations in public settings, single user workstations, servers, remote access, remote hosts, Wi-Fi transmission, email transmission, other transmission to the open network, copiers, fax machines, external hard drives, backup tapes, transporting of PHI, BYOD, BYOA, portals, hardcopy and electronic disposal and more. For each category or “type” of PHI location, examine current controls (policy, physical, technical) and future plans; gaps; risk likelihood and impact, and whether risk mitigation is necessary. If so, assign risk mitigation tasks and manage them. If not, document why.

Conclusion

It is no mystery that the HITECH Omnibus Rule includes increased responsibilities and liabilities for business associates and more requirements for covered entities to know how their BAs are protecting their PHI; no mystery that encryption is considered to be a business requirement to protect vulnerable PHI; no mystery why penalties have skyrocketed along with potential for civil action lawsuits and more; no mystery why Office of Civil Rights audits are mandated for covered entities and business associates. Enough is enough! Yes, the technology revolution and the categories of locations of unprotected health information have increased tremendously over the years and that is why we keep reading about breaches. But that is no longer an excuse. CEs and BAs now know via the Omnibus Rule that they must put the word “Protected” back into their PHI.

About the Authors

Gerry Blass is the President & CEO of ComplyAssistant. Gerry has over 35 years of experience in healthcare IT and compliance. ComplyAssistant provides IT and compliance consulting services and software, also called ComplyAssistant. The software is a compliance management cloud portal that provides guidance, organization, collaboration alerts, and notifications for more effective management and documentation of healthcare compliance activities.

To learn more visit our IT and compliance consulting page or healthcare compliance software page.

Business Associates, Business Associates Compliance, Compliance, Healthcare Compliance, HIPAA-HITECH, HITECH, Information Security Risk Analysis, Information Security Risk Management, OMNIBUS, Workforce risk