Breach Reports: We've Only Just BegunExperts hope publicity spurs compliance
But they're hopeful that the prospect of organizations seeing their name on a list of those that have failed to adequately secure their information will be a strong catalyst for launching a comprehensive risk management effort.
And they assert that most of the listed breaches probably could have been prevented with the use of data encryption and more aggressive training of staff about security issues.
On Feb. 22, the Office for Civil Rights within the U.S. Department of Health and Human Services began posting on its Web site a list of organizations that have notified HHS about a breach of unsecured health information involving more than 500 individuals.
Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually and also will be posted on the Office's site.
(For details on the initial breach postings, click here.)
More to come
"I would expect that over time, we'll see a lot more breaches listed because there was a breach notification enforcement delay," says Melissa Bianchi, partner in the Washington law firm of Hogan & Hartson.
Although the breach notification rule took effect Sept. 23, HITECH called for a "grace period" until Feb 22, during which federal regulators would not impose penalties for violations.
Because of the grace period, Bianchi says, "A number of organizations spent the early part of the year getting their compliance plans in place, so they may not have reported breaches.
Time for action
Now, faced with the double-edged enforcement sword of potential penalties, plus the embarrassment of having their name on a list of organizations that failed to secure their data, Bianchi and others are hopeful that hospitals, physician groups, health insurers and their business associates will finally get their security acts together.
"Most organizations wait until the final date for compliance and enforcement before they actually start doing anything about any new regulation," says security consultant Rebecca Herold, owner of Rebecca Herold & Associates, Van Meter, Iowa. As a result, many hospitals and others are about discover just how big a job it is to prepare a risk management strategy and a breach notification plan, she notes.
The initial list of major breaches would have been much longer, experts say, if not for the breach notification rule's "harm threshold" provision. That controversial provision, devised by the U.S. Department of Health and Human Services, allows healthcare organizations to determine whether a particular data breach presents a "significant risk" and thus needs to be reported.
Tom Walsh, president of Tom Walsh Consulting LLC, Overland Park, Kan., cautions healthcare organizations to take a very systematic approach to assessing whether an incident constitutes "significant risk" and not alter the evaluation criteria on a case-by-case basis.
He advises organizations to use such resources as the North Carolina Healthcare Information and Communications Alliance's breach notification risk assessment tool, available for free at nchica.org.
Encryption in the spotlight
The initial list of breaches highlights the need for encryption, security experts say. That's because the majority of the cases involved the theft of laptops, other portable devices, CDs and hard drives that contained unprotected data. "The industry should understand and embrace encryption on portable media," says Kate Borten, president of the Marblehead Group, a security consulting firm based in Marblehead, Mass. "My guess is that in most theft cases, the data wasn't the target, but rather the device itself. But if the data on the device isn't encrypted, the theft is a breach." Under the HITECH Act, those organizations that use a specific form of encryption do not have to report breaches. Reported breaches involving such factors as mailing errors or phishing scams point to the need for more intensive staff training as well as security awareness campaigns, Herold says. (For an in-depth interview with Herold, click here.)