Is HHS a Breach Prevention Role Model?Time to Outline Protections for Health Insurance Exchanges
With the enforcement of the HIPAA Omnibus Rule looming in September, federal authorities are urging covered entities to work with business associates on compliance issues, including breach prevention.
Under the rule, business associates are now directly liable for HIPAA compliance and can be held responsible for data breaches. And so far this year, the percentage of BAs involved in major breaches is up compared to last year, a troubling trend.
If uninsured consumers lack faith in the security of the insurance exchanges, they may prove reluctant to use them.
But to build credibility, the Department of Health and Human Services, which enforces HIPAA through its Office for Civil Rights, needs to ramp up its own breach prevention efforts - especially for the state health insurance exchanges slated to begin operations Oct. 1. Otherwise, a policy of "do as I say, don't do as I do" could prove highly ineffective.
The Latest Statistics
Here's our latest monthly update on the breach statistics compiled by the Office for Civil Rights on its "wall of shame" website.
As of Aug. 23, the list of breaches that have affected 500 or more individuals since September 2009 included 646 incidents affecting a total of almost 22.6 million individuals. Of those, roughly 22 percent have involved business associates.
Some 19 incidents have been added to the tally in the past month.
So far, the list includes 62 breaches that began in 2013, affecting a combined total of about 525,000 individuals. And about 29 percent of those involved BAs - a step in the wrong direction. In 2013, 24 percent of breaches involved BAs.
But the number of individuals affected by 2013 breaches likely will skyrocket soon if the details of a July breach at a Chicago area physician group practice, which may have affected as many as 4 million patients, are confirmed. That incident at Advocate Medical Group involved the theft of four computers that, unfortunately, were not encrypted.
Clearly, there's still plenty of important breach prevention work that needs to be done, including more widespread use of encryption and better oversight of business associates.
Leading by Example?
Meanwhile, as the HHS Office for Civil Rights prepares to enforce the HIPAA Omnibus Rule, HHS faces a potential breach prevention credibility problem.
HHS is being criticized for not doing enough to prevent breaches in the systems that state health insurance exchanges will use.
An HHS Inspector General report says federal officials are behind schedule in assessing and testing key data security functions tied to the exchanges, which are a critical component of healthcare reform (see: Insurance Exchanges: Security Questions). So as of the Oct. 1 go-live date for the exchanges, authorities may lack information on the security risks and controls for a government hub that will act as a conduit for federal data for these state insurance exchanges, the report warns.
HHS officials, however, insist the data services hub will be ready and operationally secure in time for the launch.
In addition, 13 state attorneys general have written to HHS to express a long list of privacy concerns about insurance exchanges. They question, for example, whether HHS has taken adequate steps to ensure that so-called "navigators" hired to help consumers use the exchanges will receive adequate privacy training in the coming weeks.
If HHS is serious about getting healthcare providers and their business associates to take adequate breach prevention steps, it needs to be a good role model. Sooner, rather than later, HHS needs to carefully articulate all the steps it has completed to help ensure consumers' privacy as they use the new insurance exchanges.
Some of the criticisms of HHS about the lack of privacy precautions for the exchanges may be politically motivated or off-base. That's why it's so important for the agency to clearly spell out to healthcare providers and consumers alike all the precautions it's put in place. It's also important for HHS to provide detailed breach prevention guidance for healthcare organizations large and small as well as their business associates.
If uninsured consumers lack faith in the security of the insurance exchanges, they may prove reluctant to use them. And that, indeed, would be a major blow to healthcare reform efforts.