Breach Trend: Fewer Business AssociatesExperts Analyze Latest Federal Tally
Of the major breaches in 2013 affecting 500 or more individuals that have been confirmed by federal authorities so far, about 19 percent have involved business associates, down from about 25 percent last year. And only three of the 46 breaches added to the federal tally since late September have involved business associates (see Wall of Shame: Four Years Later).
The decline in breaches at business associates could reflect under-reporting of incidents by business associates that are unsure how to assess breaches as a result of the transition to new guidance under the HIPAA Omnibus Rule, says Brian Evans, a healthcare information security consultant.
On the other hand, the trend could reflect improvement in breach prevention at these vendors as a result of growing pressure from the covered entities that they serve, says consultant Tom Walsh, who also specializes in security.
Under the HIPAA Omnibus Rule, business associates and their subcontractors are directly liable for HIPAA compliance, and are subject to fines that can run as high as $1.5 million per violation. The Department of Health and Human Services' Office for Civil Rights began enforcement of the rule on Sept. 23.
By the Numbers
Since September 2009, when the HIPAA breach notification rule first went into effect, 720 major breaches affecting a total of 27.8 million individuals have been confirmed by the Office for Civil Rights. And about 21 percent of those have involved business associates.
Lost or stolen unencrypted computing devices have been involved in more than half of all major breaches since 2009, the tally shows
The 46 new breaches added to the tally since late September affected a total of more than 870,000 individuals, but 729,000 of those were impacted by a breach at AHMC Healthcare, which had two unencrypted laptop computers stolen from the company's administrative offices in California.
And the biggest breach reported so far this year involved the theft of four unencrypted desktop computers from an office of Advocate Medical Group, a Chicago-area physician group practice. That breach, which the federal tally lists as affecting more than 4 million individuals, and has resulted in a class action lawsuit.
So far, the 2013 federal tally includes about 120 breaches affecting nearly 5.7 million individuals, but four large breaches were responsible for 90 percent of those affected. By comparison, the tally lists about 160 breaches in 2012 that affected 2.65 million individuals.
Signs of Improvement?
The small number of breaches involving business associates that have been added in the last two months to the official federal tally might be an indicator that vendors need more breach notification education, says Evans, the consultant.
"The lower number of breaches added to the 'wall of shame' from business associates since late September is likely attributed to a lack of maturity in their incident identification, analysis and reporting processes," Evans says. "Many vendors are still reacting to the HIPAA Omnibus Rule, which made business associates liable for compliance with the HIPAA. ... As a result, business associates are less mature in identifying, analyzing and reporting on security incidents."
But Walsh says growing pressure from covered entities on business associates to bolster breach prevention likely is having an impact.
For example, Walsh knows of one community hospital that "has begun asking their business associates to complete a questionnaire regarding their compliance with the HIPAA Security Rule," he explains. "The results have been very interesting. The hospital has ended its relationship with a few of the smaller business associates because the questionnaire revealed many areas of risky practices and a lack of compliance with even some of the basic requirements in the HIPAA Security Rule," Walsh says.
"Information security consulting firms - mine included - have had an increase in activity from business associates looking for help to evaluate their overall compliance," he adds. "This may later translate to fewer breaches."
But Evans expects to see an increase in the number of breaches reported in the months to come as a result of the more specific notification guidance in the HIPAA Omnibus Rule.
"As healthcare organizations and business associates move from a reactive mode to a more formal and mature information security program, it's only logical that more security incidents will be identified and reported," he says.
Under the HIPAA Omnibus Rule, a risk assessment must be performed to rule out the probability that an incident is a breach, explains security expert Kate Borten, principal at The Marblehead Groupm a consulting firm (see HIPAA Omnibus: Determining Breaches) .
"Only if an organization performs the rule's specified risk assessment and demonstrates that there is a low probability that the protected health information has been compromised is the organization off the hook for breach notification," she notes.
Evans is hopeful that breaches stemming from lost or stolen unencrypted devices will eventually become far less common.
"Encryption will ultimately become more commonplace as laws and regulations mandate the safeguarding of information and as breaches continue to occur," he says. "From storage to applications to mobile devices, encryption is now provided either out-of-the-box or through add-on products," Evans says. This increased availability of no-cost or low-cost encryption will benefit healthcare organizations and eventually reduce the likelihood of breaches, he adds.
Walsh is frustrated that more organizations aren't already making encryption a priority in their breach prevention efforts.
"Every time I read about another breach as result of a stolen laptop, tablet, smart phone or, computer workstation, I think: How can an organization still not realize the importance of encryption?"