Health privacy: HIPAA breach reports on sharp rise

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://hr.blr.com/HR-news/Benefits-Leave/HIPAA-Health-Information-Privacy/Health-privacy-HIPAA-breach-reports-on-sharp-rise#

Earlier this month, the HHS Office for Civil Rights issued its Annual
Report to Congress on Breaches of Unsecured Protected Health Information,
the second such annual report. The findings are sobering.

> From September 2009 to December 2012, OCR received 710 breach reports
affecting approximately 22.5 million individuals. The frequency of those
breach reports, according to one tally, is spiraling upward, up nearly 46%
in the period between January 2014 and May 2014 over the same period in the
previous year.

Another recent report notes that more and more organizations are learning
of breaches by phone calls from, among others, the FBI.

Criminal prosecutions, always permitted under HIPAA, may be on the rise. In
March, U.S Department of Justice indicted a former employee of an unnamed
East Texas hospital, charged with wrongful disclosure of individual
identifiable health information in violation of HIPAA.

The former employee faces up to 10 years in prison and a fine of $250,000
if convicted, according to the indictment, unsealed in July. While such
indictments are rare, the recent toughening of enforcement actions may
anticipate the growth in such criminal indictments.

The OCR itself continues to step up its game. At a recent American Bar
Association Health Law Section conference, a chief regional civil rights
attorney from OCR warned that covered entities can expect enforcement to
increase dramatically, along with fines.

About the only reprieve covered entities can expect will be brief, as
incoming OCR chief Jocelyn Samuels transitions over from the civil rights
division of the Department of Justice. But she will be on duty soon enough,
succeeding Leon Rodriguez, who moved on to a post in the Department of
Homeland Security.

Breaches Shift to Online

A preponderance of previous breaches were triggered by lost laptops or
misplaced boxes of paper records. But those days are rapidly fading.
Today's breaches are increasingly taking place via the same Internet that
enables easier patient access and legitimate health information exchanges.

Criminal hackers are also targeting bigger repositories of data, such as
state departments of health. The state of Vermont recently confirmed that a
development server of the Vermont Health Connect, the state's health
insurance exchange under the Affordable Care Act, was the target of
cyber-attack last December.

Investigators traced the attack to an IP address in Romania. Another
cyber-attack hit the computer server of Montana Department of Public Health
and Human Services.

The fines are adding up as well. Parkview Health System in Fort Wayne,
Indiana recent paid an $800,000 fine to OCR for unloading 71 boxes of
records in a doctor's driveway. But again, that's just paper. The amount of
information in those 71 boxes could be dwarfed by a single digital
compromise from a cyber-attack.

A Patchwork of Laws

And federal penalties aren't the only ones waiting to trip up covered
entities. Data privacyregulations vary from state to state. Recently,
Florida toughened its breach notification law, which is also prompting
greater calls for more uniform state breach notification laws nationwide.

Right now, those laws vary. A lot. For instance, the California
Confidentiality and Medical Information Act carries a $1000 penalty per
patient if a provider discloses certain medical information without the
consent of the patient, says Ted Kobus, partner and co-leader of the
privacy and data protection team at Baker/Hosteller, one of the largest law
firms in the U.S., which represents covered entities in data breach cases
at both the state and national level.

"Documenting and compliance are the two most important things," Kobus says.
"If you're forced to do something that may not be exactly the way that you
think the security rule requires you to do it, or you make a decision and
accept a risk, the key is going to be documentation. If OCR comes in [and]
they see that you've documented that risk, you've understood that risk, and
you've responded to it in a certain way, whether it's physical controls or
administrative safeguards or some other technological safeguard, you're
going to be in a much better position."

Large providers, as usual, are in better shape. "The problem is there are
so many healthcare providers that have small physicians' offices or small
surgical centers, that may not be as prepared as a sophisticated health
system," Kobus says.

What is a Data Breach?

"They don't really understand the extent of compliance that's going to be
required. Many of them just aren't prepared to deal with an OCR
investigation, and they're not prepared to show their compliance with the
HIPAA security and privacy rules."

When I first talked to Kobus a year ago, as I reported on the HIPAA Omnibus
legislation then going into effect, he was looking forward to tools the OCR
said it would provide to help covered entities go through breach analyses.

A year later, he is still waiting for the release of those tools.

"We really haven't seen any firm guidance on what is considered to be a
breach and what's not considered a breach," Kobus says. Some covered
entities might also be over-reporting breaches due to lack of such tools,
he adds.

"Over-notification doesn't serve anyone well," Kobus says. Those notified
of a potential HIPAA breach may become blasé about such notifications; when
they receive one that they should pay serious attention to, then they may
discard the notification due to a string of prior notifications that led to
no serious consequences.

The other event that probably colors the uptick in HIPAA and state breach
law notifications is the Target data breach in the 2013 holiday season.
"The reason everyone is talking about Target is not because of the numbers,
because we've had breaches larger than Target," Kobus says.

"The reason is because every single American was affected by Target,
because you either shop at Target, or you know someone who shops at Target.
So everyone you know has been affected by this in some way.

The result is "a discussion that's occurring at the board level. People
don't want to be the one where it happens on their watch."

For those boards, CIOs and CISOs, better breach analysis tools, or more
consistent legislation cannot come soon enough. As more and more healthcare
data flows across the Internet, expect more breaches, more headlines, more
fines, and more questions than answers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!