Is OCR Scrutinizing Those with Multiple Breaches?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/ocr-scrutinizing-those-multiple-breaches-p-2025

Is the agency that enforces HIPAA doing enough to make sure that
organizations that have had multiple smaller health data breaches are
taking steps to improve security?

A recent year-long investigation by not-for-profit journalism organization
ProPublica found that hundreds of covered entities - ranging from the U.S.
Department of Veterans Affairs to retail pharmacy CVS - have had many
smaller breaches as well as HIPAA noncompliance complaints reports filed to
the Department of Health and Human Services over the last few years with
little or no consequences.

"If entities are out there thinking we are asleep at the wheel, then they
need to wake up because we are not asleep at the wheel."

For instance, in analyzing HHS' Office for Civil Rights' data, ProPublica
found that between 2011 and 2014, CVS had more than 200 HIPAA complaints as
well as smaller breaches affecting fewer than 500 individuals each.

But to date, OCR has issued only one enforcement penalty against CVS, and
that was back in 2009. In that case, an OCR resolution agreement with CVS
over a case involving improperly disposed pharmacy records and bottles in
dumpsters in 2006 and 2007 called for the retail chain to pay a $2.25
million fine and implement a corrective action plan.

Of the 28 resolution agreements that OCR has signed since 2008, only one
has stemmed from a data breach impacting fewer than 500 individuals. That
was a settlement in December 2012 with The Hospice of North Idaho for a
case involving a stolen unencrypted laptop. The breach that kicked off
OCR's HIPAA investigation of the hospice affected 441 individuals. The
resolution agreement included a corrective action plan and $50,000
financial penalty.

OCR Scrutiny

In an interview last September, Deven McGraw, OCR's new deputy director of
health information privacy, told me that the office pays attention to HIPAA
breaches large and small, but the larger incidents that get listed on OCR's
infamous "wall of shame" website get more scrutiny.

"We investigate every breach of more than 500 records, and look at a lot of
breaches that are under 500 records, and we respond to complaints that
people have filed about HIPAA violations," she said. "We have an
enforcement infrastructure in place to both look at these and investigate
them, and if entities are out there thinking we are asleep at the wheel,
then they need to wake up because we are not asleep at the wheel. Counting
on not getting caught, counting on not getting audited - business
associates will be part of the next phase audit program - probably is a
risky strategy. "

But even before the ProPublica analysis, OCR's handling of smaller breaches
and complaints had been under scrutiny by government watchdog agencies.

In a September 2015 report evaluating OCR's follow-up on breaches reported
by covered entities, HHS' Office of Inspector General reported that OCR did
not record information about smaller breaches in its case tracking system,
limiting OCR's ability to track and identify covered entities with multiple
small breaches. OIG also found that OCR investigators often miss breach
patterns indicating repeat offenders (see OIG: HIPAA Enforcement Activities
Need a Boost).

OIG made several recommendations to OCR on how to improve its handling of
breach cases, including oversight of small incidents. That included
recommending that OCR enter information about small breaches into its
case-tracking system or a searchable database linked to it. The report
notes that OCR agreed with all of OIG's recommendations.

Slim Resources

OCR did not reply to my request for comment on its plans to improve
scrutiny of smaller breaches and repeat offenders.

But given the long list of tasks on OCR's to-do list for 2016, including
issuing HIPAA guidance on cloud computing and other subjects; developing a
new HIPAA audit protocol that pertains to business associates; and
launching phase two of the long-delayed audit program, it's questionable
whether OCR will be able to stretch it's already skimpy resources to focus
more attention on the thousands of smaller breaches and HIPAA complaints
that get filed every year.

"I do think that the Office for Civil Rights is stretched very thin
investigating the large breaches and growing the proactive audit program of
both covered entities and business associates," independent privacy
attorney Susan Miller tells me. "OCR should give the smaller breaches more
time and attention. It is important that the entities that have small
breaches also need to be fined if the problem that caused the breach is
significant. Just because the breach is small does not mean that the entity
that had it should not be accountable for the event."

Miller recommends that OCR consider creating administrative boards with
hearing officers in all 10 of its regions. "If each small breach report was
significant enough, the board could fine the breaching entity, covered
entity or business associate, a small fine, say $1,000," she says.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who
formerly worked at OCR, contends that the HIPAA enforcement agency should
be resolving a greater number of egregious cases through financial
settlements.

"I expect that OCR feels the same way but is constrained by its resource
limitations," he says. "But I also hope that OCR continues to resolve most
cases through voluntary corrective action, especially cases where an
organization made reasonable efforts to comply with the law but an employee
went 'rogue,' or where there was genuine confusion regarding what the law
requires."

Greene says he'd like to see more transparency about smaller breaches.
"Right now, the only information we get is in the reports to Congress or in
OCR presentations. It would be great to have regularly updated information
regarding what types of small breaches OCR is seeing and what types of
entities are reporting these small breaches."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.