Reporting HIPAA Breaches: A New ApproachRegulators Enhance Web Portal for Notification
As the number of health data breaches continues to climb, the Department of Health and Human Services is taking steps to make the process of using online tools to report breaches more efficient, hoping that will help ease the launching of investigations.
As of Jan. 23, the HHS Office for Civil Rights' tally of major health data breaches included 1,199 incidents affecting 41.5 million individuals that have occurred since OCR began tracking breaches in September 2009. At the end of 2014, the tally stood at 1,186 total incidents affecting 41.3 million individuals (see Biggest Health Data Breaches in 2014).
OCR, which oversees HIPAA enforcement, recently migrated breach reporting forms to an enhanced Web portal. "These changes to the breach portal are one of a number of significant process improvements on our backend that have resulted in tremendous efficiency for our investigative work," an OCR spokeswoman tells Information Security Media Group.
The new portal for submitting breach reports contains a note that the site is undergoing unspecified "improvements" through April 30, 2015. Among the new features so far is an expanded question asking organizations about their "actions taken" in response to their reported breach.
Some of the responses that organizations can check off are: adopting encryption technologies; changing or strengthening password requirements; creating new or updated security rule risk management plans; implementing new technical safeguards; improving physical security; revising business associate contracts; and providing training or retraining to BAs or workforce members.
The OCR spokeswoman declined to comment on exactly how that new information will be used in OCR investigations.
Achieving Twin Objectives
But OCR Director Jocelyn Samuel said in a statement provided to ISMG: "The breach notification requirements are achieving their twin objectives of increasing public transparency in cases of breach and increasing accountability of covered entities and business associates. The reports submitted to OCR indicate that millions of affected individuals are receiving notifications of breaches. At the same time, more entities are taking remedial action to provide relief and mitigation to individuals and to secure their data and prevent breaches from occurring in the future."
The leader of OCR says the office "continues to work with the covered entities and business associates to ensure appropriate remedial action is taken to address the causes of the breaches, to prevent future incidents, and to mitigate harm to affected individuals, as well as to ensure full compliance with the breach notification requirements."
OCR is trying to become more efficient in its breach and HIPAA complaint investigations as the number of these incidents grow. Samuels recently told reporters that the agency expects to receive about 17,000 HIPAA complaints this year.
In her statement provided to ISMG, Samuels says, "Anecdotally, we can say that we continue to see a rise in the number of reported breaches and individuals affected. Much of that, I think, may be attributed to covered entities and business associates' better understanding their compliance obligations under the breach rule."
Business associates are directly liable for HIPAA compliance under the HIPAA Omnibus Rule, which went into effect in 2013.
Besides trying to make its breach and HIPAA complaint investigation processes more efficient, OCR is also working on other enforcement projects, including resuming its long-overdue HIPAA audit programs, which remains stalled (see HIPAA Audit Are Still On Hold).
'Wall of Shame' Updates
In addition to launching the new Web portal for submitting breach reporting forms, OCR has updated its "wall of shame" website that lists health data breaches affecting 500 or more individuals.
"These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches," notes a message on the refreshed site. "Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the HHS secretary."
OCR did not respond to an ISMG inquiry about whether OCR will add back to the tally a column that previously listed when breaches were posted to the website.
Among the most notable incidents added to the federal breach tally in recent weeks is the Sony Pictures Entertainment hacking attack that compromised 30,000 employees' health information, as well a massive amount of other corporate information.
That incident, which occurred on Nov. 24, is listed on the OCR tally as a breach involving "Sony Pictures Entertainment Health and Welfare Benefits Plan", a health plan that provides medical insurance and other benefit for Sony employees.
"Many large companies are self-insured through some third party administrator, or TPA," notes security expert Tom Walsh, president of the consulting firm tw-Security, which was recently rebranded from its former name, Tom Walsh Consulting. So it's no surprise that Sony would store employee health information, he says. "I'm sure that there are a lot of companies that rely on their TPA to know what is legally required regarding their employees' PHI. This should be a wakeup call for all companies that are self-insured."
The Sony incident offers an important reminder for all organizations, not just healthcare organizations, to reassess their safeguards for protecting any sensitive employee health data from external threats, says healthcare and HIPAA attorney Susan A. Miller (see Protecting Employee Health Data).
Breaches on the Rise
OCR's Samuels tells ISMG, "In terms of numbers of individuals affected and types of breaches, based on what we have been seeing, I think it is safe to say that the number of individuals affected by hacking/IT incidents is on the rise. It is essential that our regulated industry take action to appropriately safeguard the ePHI that they hold from these types of threats and hazards."
Adds Walsh, the consultant: "If the government or big businesses - like Sony - which have far greater resources that most healthcare systems or community based hospitals, get hacked, any organization can get hacked. There is no way to defend against every attack if the hacker has enough time and other resources. The goal is to make them work hard to the point they'll move to a softer target."