HIPAA Breach Tally and Enforcement GrowOCR Actions Show Feds Scrutinizing Small Breaches, Too
The federal tally of major breaches continues to grow. But even relatively small breaches can result in tough federal sanctions, as settlements announced earlier this week show (see 2 Stolen Laptop Incidents Lead to Penalties).
As of April 23, the federal "wall of shame" tally included 966 major breaches affecting a total about 31.1 million individuals since 2009. About 35 breaches have been added to the tally, which tracks breaches affecting 500 or more individuals, in the past month (see Health Breach Tally: 30 Million Victims).
But while the tally helps draw attention to bigger breaches, two recent Department of Health and Human Services HIPAA compliance settlements offer a reminder that that even very small breaches can result in sanctions if an investigation turns up serious issues. The settlements in cases involving stolen unencrypted laptops highlight the importance of encrypting data on mobile devices to prevent breaches. And keep in mind, the federal tally shows that the loss or theft of unencrypted devices or media has been the No. 1 cause of major breaches.
In an announcement of the settlements, Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights, which enforces HIPAA, notes: "Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: Encryption is your best defense against these incidents."
OCR entered a $250,000 resolution agreement with QCA Health Plan, based in Little Rock, Ark., which was the result of a HIPAA compliance investigation sparked by a breach involving a stolen unencrypted laptop that affected only 148 individuals - too small to make the federal tally of major breaches.
The other OCR settlement announced this week, which included a $1.72 million penalty, involved the theft of an unencrypted laptop from a facility owned by Concentra Health Services, an urgent care provider that's a subsidiary of Humana. That incident affected 870 individuals.
OCR says its investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.
While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time leaving patient information vulnerable throughout the organization, OCR says.
Awareness of Risk
"Many healthcare organizations are in the same situation as Concentra, and they're usually aware of the risk, as was Concentra," says security and privacy expert Kate Borten, president of consulting firm The Marblehead Group.
Like Concentra, QCA had also begun encrypting its mobile computers, but hadn't completed that work at the time of its breach.
"That doesn't excuse the breach, but, for example, when individuals use their own laptops or when a medical center acquires a small practice where security technologies and practices are not embedded, there is a significant risk, and such breaches are likely to continue for years to come," Borten says. "My hope is that the number of such breaches drops over time, and that breaches occur only in 'outlier' circumstances."
Security expert Brian Evans, principal consultant at Tom Walsh Consulting, says the two settlements demonstrate that breaches don't have to be large to spur investigations that result in HIPAA penalties. "I do believe this action is confirmation that OCR will be scrutinizing CEs and BAs regardless of size or circumstances," he says.
That means covered entities and business associates need to conduct a thorough and timely risk assessment and then take action to mitigate the risks identified to help prevent breaches.
Lessons to Be Learned
"The primary lesson to be learned [from these recent cases] is that the cost to prevent mobile device data breaches is far less than the cost of mitigation," Evans says.
"The goal of encryption is to provide confidentiality protection for information. Most mobile devices have encryption already built into their operating systems," he notes.
BitLocker Drive Encryption is available in the Windows 7 operating system, which became available in 2009, he points out, and encryption is built into BlackBerry and Android and is enabled by default on iPhones, iPads and Windows Phone 8 and RT devices.
"I would suggest organizations assess their current state of encryption on all mobile devices," Evans says. "This would include organizationally provisioned as well as personally owned devices that handle confidential information.
"If encryption is not enabled on these devices, then determine how best to implement encryption or disallow their access to confidential information. The goal should be to have encryption enabled on all mobile devices accessing confidential information."
Jennifer Smith, QCA's legal counsel, points out that the cost of a settlement with OCR goes far beyond any financial penalty.
She estimates the cost of carrying out OCR's corrective action plan requirements as part of the settlement "will probably be in the seven-figures." Under the plan, QCA must present to OCR "risk analysis and a corresponding risk management plan that contains security measures to reduce the risks and vulnerabilities to the electronic protected health information maintained by QCA to a reasonable and appropriate level," according to the resolution agreement.